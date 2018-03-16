The disclosure of security flaws in Advanced Micro Devices (NASDAQ:AMD) chips by a previously unknown Israeli company CTS-labs took the market by surprise on Wednesday. As we discussed in our earlier article, the risk posed to AMD systems appeared minimal.

We now have confirmation that this assessment is accurate.

The confirmation comes from the very security company that CTS labs hired to validate its exploits – Trail of Bits. In a blog post, researcher Dan Guido says:

“There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers (see here, Figure 1)

These types of vulnerabilities should not surprise any security researchers; similar flaws have been found in other embedded systems that have attempted to implement security features. They are the result of simple programming flaws, unclear security boundaries, and insufficient security testing. In contrast, the recent Meltdown and Spectre flaws required previously unknown techniques and novel research advances to discover and exploit.”

This substantially undercuts the narrative from CTS labs that these exploits are somehow a big deal and Viceroy Research’s premature obituary for AMD. As we pointed out earlier, security experts have now widely panned the disclosures.

CTS’s methods and motives became much more suspect and questionable in a long interview by Ian Cutress at AnandTech and David Kantar at RealWorldTech.

The interview, which is well worth listening/reading for those interested in the subject, makes it clear that CTS labs, at the minimum, is not upfront about is methods, approach, and pitch.

It appears that CTS Labs first found vulnerabilities in Asustek’s chipsets and validated them (likely on Intel (NASDAQ:INTC) x86 systems. Then, the Company went to look for those same errors and others in AMD x86 based systems. However, instead of pointing out that security problems existed in tens, if not hundreds, of millions of systems with Intel and AMD chips, CTS decided to target AMD.

CTS is also evasive about answering questions about who funded the research and who are the customers for the reports generated by CTS. Ian Cutress went on to summarize as follows:

“I’m more than willing to entertain the fact that as a first public high-level disclosure, a security company can be out of step with a few of the usual expected methods of responsible disclosure and presentation. A number of new security companies that want to make a name for themselves have to be bold and brash to get new customers, however we have never quite seen it to this extent – normally the work speaks for itself, of the security company will develop a relationship with the company with the vulnerability and earn its kudos that way. The fact that CTS-Labs went with a polished website (with nine links to download the whitepaper, compared to the Meltdown/Spectre websites that had one), and a PR firm is definitely a different take. The unilateral reasoning for a 0-day/1-day disclosure, followed by a self-rebuttal when presented with a more significant issue, shows elements of inconsistency in their immediate judgement. The lack of CVEs ready to go, despite the employees having many years of experience, as well as experience in the Israeli equivalent of the NSA in Unit 8200, does seem as opposites; an experienced security team would be ready. The swift acceptance that cloud-based systems are vulnerable but then going straight into doom and gloom, despite the limited attack surface in that market, shows that they are focusing on the doom and gloom. The reluctance for CTS-Labs to talk about clients and funding, or previous projects, was perhaps to be expected.

The initial downside of this story coming into the news was the foreboding question of ‘is this how we are going to do security now?’. Despite the actions of CTS and their decision to go with a 24-hour period, after speaking to long-term industry experts at high profile technology companies, a standard 90-180 day pre-disclosure period is still the primary standard that manufacturers would expect security companies to adhere with to actively engage with responsible information and verification. We were told that to go beyond/behind this structure ultimately formulates a level of distrust between the company, the security agency, and potentially the clients, regardless of the capabilities of the security researchers or the severity of the issues found; moreso if the issues are blown out of proportion in relation to their nature and attack surface.”

Prognosis

Trail of Bits, the security company hired CTS-labs to make a case against AMD has now substantially undercut CTS-labs narrative about the security problems with AMD chips.

It now appears that many of the second level problems identified are much more prevalent in tens, if not hundreds, of millions of systems that use Asusteck chipsets. These systems include systems from Intel.

CTS-labs interview with AnandTech and RealWorldTech further undercuts CTS-labs narrative and calls in to question the methods and motives as well as a rush magnify the scope of the problem and pin the story on AMD. While there is no doubt that there are several AMD specific second level problems, the scope of the problem is much larger than AMD systems.

CTS-labs was evasive about its customers, research funding sources, and motives. Essentially, we now have a confirmation that the issue has been hyped beyond reason for reasons that are likely nefarious. At this point, it appears the CTS-labs and Viceroy research may have colluded to manipulate AMD stock. We submit that this short narrative was severely overhyped, has no legs, and can now be put to bed.

Given AMD was not given much notice on the disclosure, it may take AMD several days to respond to the claims and several weeks to identify solutions to the second level exploits. There is little reason for investors to panic about any delays from AMD on this subject.

Given that we do not expect any significant performance penalties in patching these problems, we do not see this as being materially damaging to AMD other than increasing validation times. The Company will also need to expend resources in identifying and incorporating fixes in current and future designs.

We continue to view AMD as extremely well placed for 2018 and expect the Company to take considerable market share from Intel.

Our View: Strong Buy

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.

I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.