CTS Labs, an almost unknown company from Tel Aviv, claimed to have discovered over a dozen security problems with AMD Ryzen and EPYC processors. Linus Torvalds, the creator of Linux, publicly challenged them.
Torvalds, he says Google+:
When was the last time you saw a security tip say, "If you replace the BIOS or CPU microcode with a bad version, you may have security vulnerabilities?"
Or, as one commenter put it in the same thread, No device is safe: if you have physical access to a device, you can simply pick it up and walk away. Am I a security expert? ”
They are right.
CTS Labs jumped out of nowhere to give AMD less than 24 hours to deal with these "problems".
Startup released its discoveries in a white paper and a video that describes the vulnerabilities. All of the security loops, of course, have fancy names: Ryzenfall, Master Key, Fallout and Chimera.
CTS Labs claimed in one interview which showed that AMD did not fix the problems for "many, many months or maybe even a year."
But why do they do that? According to Torvalds:
"It sounds more like a manipulation than a safety tip for me."
But these are real bugs. Dan Guido, Managing Director of Trail of Bits, a security company with proven history, said:
"Regardless of the advertising campaign, the errors are real, they are accurately described in the technical report (which is not public) the code with the exploits works."
But, Guido also admitted: "Yes, all bugs require admin [privileges], but all are bugs, and not some expected functionality."
The Linux creator agrees that these are bugs but that all of their advertising is bothering him:
Are there any errors? Yes. Do they matter in the real world? No.
A system administrator is required and it would be almost criminal negligence to give access to someone you do not know. For Torvalds, malicious security reports are annoying and distractions for the real job.
Torvalds believes that "there are real security researchers." According to Torvalds: "A catchy name and a website are almost essential for a security revelation these days."
Torvalds caustically states that "security people need to understand that they look like clowns because of this. The whole security industry just has to admit that they have a lot to do and that they need to use and encourage critical thinking. ”
What Torvalds really wants from developers and security researchers, as he recently wrote, is:
The first step should ALWAYS be "mention it". Mention it. Nothing else.
"Do no harm" should be your mantra for any new hardware work.