The 13 vulnerabilities of Ryzen

whoololon

Well, as more than one of you may know, it wasn't long ago that the news spread (with your permission) that up to 13 vulnerabilities of different levels had been discovered, affecting AMD's new platform, the Ryzen processors.

In this news, the company CTS-Labs has released a report detailing the security incidents that occurred during their analysis of this family of processors.

This report was sent to AMD 24 hours before it was made public.
The response from AMD was as follows:

"We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops. "

That's the news so far, now let's learn something about CTS-Labs...
...which appears like this on Linkedin

"About us
CTS provides security consulting to semiconductor and embedded systems manufacturers.
Our company brings 16 years of expertise in cyber-security and cryptography into the developing field of semiconductor security.
Website
http://www.cts-labs.com
Headquarters
Tel Aviv
Year of creation
2017
Type of company
Privately funded.
Specialties
Firmware Authentication, Cryptographic Hardware Logic, Secure Design and Code Review, Secure Storage for Cryptographic Secrets, Mitigation against Memory Corruption, Data Encryption, In-Depth Auditing, Security Compliance, Vulnerability Research"

(Notice the numbers.)

...which has a large staff...
...and among all of them, I would highlight their CFO...
...who claims to have a bachelor's and master's degree from Yale University... in philosophy. He is also related to an investment management company in New York, of which he was the CEO.

His brother, who I suspect is the brains behind that bunch of stomachaches, has started more than half a dozen companies, hasn't finished any of the degrees he started, but then again, he does have a charming smile.

And finally, I would highlight the only one with a degree related to the silicon world, their CEO, who I honestly doubt has the necessary capacity for the feat they supposedly accomplished.

In summary, if we add to this that these vulnerabilities should be communicated 90 days in advance so that the company in question, in this case AMD, can fix them or issue a statement with the necessary information, personally I am convinced that it is nothing more than a torpedo launched with ulterior motives, since although these vulnerabilities do exist in reality, it has little to do with the interest in cybersecurity.

What do you think?

Fassou

It looks bad in all cases, both if there is some truth in all the assumptions made by these "so-called" experts, and if it is a defamation ploy aimed at making quick money on the stock market (which seems not to have worked) or to get some (many) clicks.

We will see how things continue, and what AMD publishes on the page enabled for this purpose, which you link to above.

Best regards!

cobito

I hadn't heard about this issue (I've been a bit busy lately). The truth is that it's all very strange. I don't know what kind of profitability they would get from discrediting AMD, but if they are truly exploitable vulnerabilities, I'm sure there are states and organizations that would have paid a fortune to have exclusive access to this information.