CTS Labs, an almost unknown company from Tel Aviv, claimed to have discovered over a dozen security problems with AMD Ryzen and EPYC processors. Linus Torvalds, the creator of Linux, publicly challenged them.
Torvalds, he says Google+:
“When was the last time you saw a tip security to state: "if you replace the BIOS or CPU microcode with a bad version, you might have security holes?"
Or, as one commenter put it in the same thread, No device is safe: if you have physical access to a device, you can simply pick it up and walk away. Am I a security expert? ”
They are right.
CTS Labs jumped out of nowhere to give AMD less than 24 hours to deal with these "problems".
Η startup κυκλοφόρησε τις ανακαλύψεις της σε ένα white paper και ένα βίντεο που περιγράφει τις ευπάθειες. Όλα τα κενά ασφαλείας φυσικά, έχουν φανταχτερά ονόματα: Ryzenfall, Master Key, Fallout και Chimera.
CTS Labs claimed in one interview which showed that AMD did not fix the problems for "many, many months or maybe even a year."
But why do they do that? According to Torvalds:
"It sounds more like a manipulation than a safety tip for me."
But these are real bugs. Dan Guido, Managing Director of Trail of Bits, a security company with proven history, said:
“Regardless of the marketing hype, the bugs are real, accurately described in the technique report (which is not public) the code with the exploits works.”
But, Guido also admitted: “Yes, all bugs require admin [privileges], but they're all bugs, not some expected functionality.”
The Linux creator agrees that these are bugs but that all of their advertising is bothering him:
Are there any errors? Yes. Do they matter in the real world? No.
A system administrator is required and it would be almost criminal negligence to give access to someone you do not know. For Torvalds, malicious security reports are annoying and distractions for the real job.
Torvalds believes that “there are real ones researchers security". According to Torvalds: "A catchy name and website are almost essential for a security disclosure these days."
Torvalds caustically states that "security people need to understand that they look like clowns because of this. The whole security industry just has to admit that they have a lot to do and that they need to use and encourage critical thinking. ”
What Torvalds really wants from developers and security researchers, as he recently wrote, is:
The first step should ALWAYS be "mention it". Mention it. Nothing else.
"Do no harm" should be your mantra for any new hardware work.
