If you’re a South African reading this, you know about Viceroy Research already thanks to the panic they induced with claiming that Capitec bank was fraudulently managing their business, full of corrupt bank managers, and was about to be taken under the curatorship of the Reserve Bank to avoid people losing their life savings. I know several people personally who had Capitec accounts, asked me about the claims, and drew out all their money into another bank account anyway just to be safe. Viceroy’s latest target, as it emerged on Tuesday, was AMD.
This past week a newly formed security firm, CTS Labs, released a whitepaper detailing some vulnerabilities that were found on modern AMD platforms. Viceroy Research somehow was in possession of the whitepaper before CTS Labs went to the press, and drew up their own press release that targeted AMD in a bid to change their stock price, in the hopes of shorting it and making a lot of money.
This story is being broken up into two parts because each individual effort by Viceroy and CTS Labs had the potential to cause massive amounts of damage to AMD’s stock price and public image. Before going into this, I’d like to remind readers that if an attacker ever has remote access to your system, or physical access, and has a method of gaining administrative rights in either scenario, they can literally do anything they like to it, including walk out of the building with it.
CTS Labs’ Report on AMD vulnerabilities
On a website called amdflaws.com, CTS Labs published a whitepaper detailing thirteen vulnerabilities they had identified in AMD’s platform, and they fall into four classes of exploits that have the following names: MASTERKEY, RYZENFALL, FALLOUT, and CHIMERA (ALL CAPS to make this seem scarier). If you visit the website, things look very, very weird. Not only does CTS labs only link to media stories that are positive about their research, they also only link to specific Twitter accounts and tweets that don’t refute or critically analyse their findings. And if the thirteen-plus links in the landing page to the same whitepaper aren’t enough to make you question if you’ve fallen down the rabbit hole, the stock backgrounds used in their greenscreen interview video will certainly have you scratching your head.
CTS Labs claims that the four classes of vulnerabilities target all of AMD’s recent product lines including the Ryzen, Ryzen Pro, Ryzen Mobile with Vega Graphics, and EPYC servers. They target the secure processor on all platforms as well as the chipset that is on-board, codenamed Promontory, which is designed and manufactured by ASMedia and is directly integrated into the Ryzen/Summit Ridge die. However, the security firm only gave AMD 24 hours notice before alerting the media about their report’s existence and did not approach AMD beforehand with their report. The report also does not contain sample code or details about the attacks they claim to have leveraged.
The first of these, MASTERKEY, requires that an attacker is able to flash the motherboard’s BIOS with a BIOS that is altered in some way to allow them to run arbitrary code on the Secure Platform Processor in the Zen architecture. Using a BIOS signed with a digital signature from a matching vendor would allow someone to do this, and start leaking data from your system. This isn’t an uncommon attack vector, but it’s also something that’s widely used by enthusiasts to unlock hidden features in their hardware. There’s a small community of enthusiasts that hack Gigabyte motherboard BIOSes to unlock experimental features (in some cases necessary to make Hackintosh platforms work).
The second attack, RYZENFALL, requires that an attacker has both remote and administrative access to a system. They then use a specially crafted driver digitally signed with a matching signature used by the motherboard vendor or AMD to interface with the Platform Secure Processor on AMD systems. The PSP is equivalent to Intel’s ME processor and is responsible for the remote administration of the system, generating random numbers, and managing some of the security features that exist outside of the operating system.
The third attack, FALLOUT, attacks AMD’s EPYC family and targets the boot loader that loads an operating system once the system has passed the power-on self test (POST). As with RYZENFALL, the exploit requires local access with an account that has administrative privileges, and a specific driver digitally with the motherboard vendor’s key. Attacking the bootloader allows for malware to be inserted into the system with boot persistence, and requires a re-flash of the BIOS to remove.
CHIMERA, finally, is not an attack itself, but rather an unsecure implementation of AMD’s chipset firmware from vendor ASMedia. ASMedia is owned by Asustek, and provides chipsets and firmware for many different products, including USB 3.0 and SATA controllers, among other things. CTS Labs claims that the Promontory chipset embedded into Ryzen and other AMD Ryzen-based products carries firmware that is similar to older ASMedia chipsets, many of which they claim to have found vulnerabilities in. CTS Labs says that the vulnerabilities allow for a host of things to be attacked or replaced, including the execution of code to run keyloggers, man-in-the-middle attacks, and so on.
These are all real problems
In an interview with Tom’s Hardware, CTS Labs said that the reason they only gave AMD 24 hours prior notice was to spur the company on to work on these vulnerabilities as soon as possible. In the security industry, 30-90 days of disclosure to the company prior to revealing an exploit or vulnerability is considered fair, and gives the company affected enough time to respond. However, there are firms that work on the principle of zero disclosure, and instead only share sample code and details of exploits with the vendor after going to press with it.
Part of this is to give the company incentive to fix the problem and own the PR problem at the same time. The other part is notoriety. Security companies are dime a dozen in the market today, and researchers and netsec specialists live and die on their reputations and what they’re able to crack next. Being as ballsy as CTS Labs in this manner gets them talked about, and sets them up for future customers to find them and learn about their past work. It wouldn’t surprise me to see them move to a 30-day disclosure in the future when working with AMD and other partners.
CTS Labs notes in their FAQ that they sent full details about the vulnerabilities they uncovered to AMD, Microsoft, HP, Dell, and other select vendors.
Viceroy’s part in all of this
While CTS Labs’ report was enough to start giving people reason to worry, it was Viceroy’s 35-page report that got things really going. CTS Labs appears to have no ties to Viceroy Research, despite the greenscreen backdrops and somewhat juvenile presentation of their hacks and proofs. They appear to be a legitimate start-up promising to work with partners to make the industry more secure, and if they can do that for AMD, kudos to them. IT researchers don’t necessarily agree with the 24-hour disclosure, but that kind of approach may be necessary for a market that’s as saturated as things already are.
Viceroy Research somehow got their hands on to an early copy of the whitepaper and proceeded to write their own 35-page report on the subject. Titled “AMD-The Obituary”, Viceroy’s report pulls out important details from the report by CTS Labs and highlights things in an even more aggressive manner, and the firm claims that AMD’s stock is essentially worthless following these revelations. In among the claims the report makes, Viceroy says the following:
- AMD must immediately stop selling its Ryzen and EPYC processors
- [AMD] will have no choice but to file for Chapter 11 (bankruptcy)
- AMD failed to perform a satisfactory audit of its outsourced product, or simply ignored warnings and potential repercussions to its customers.
- We expect that vulnerabilities will extend across AMD’s GPU product lines
- Not one member of AMD’s management acquired one stock in the open market for over a year. Viceroy perceive this as a red flag, where management do not think AMD’s prospects are as rosy as portrayed to investors
- Viceroy’s consultants advise that it would be blatantly irresponsible for any Chief Information Security Officer (“CISO”) or Chief Technology Officer (“CTO”) to justify the purchase of AMD’s products
- We believe that demand for Ryzen, EPYC and other AMD’s products will be non-existent, AMD will no longer be profitable and riddled with massive liquidity issues and we do not believe there is hope for recovery.
Going through the report, Viceroy goes to lengths to paint things in the worst possible light. They claim that the vulnerabilities are so devastating that AMD may as well close their doors this week. They say that the US government should investigate them for false advertising. They say that an immediate recall should be considered. They also note that the US Securities and Exchange Commission (SEC) recently announced that publicly traded companies should disclose all cybersecurity vulnerabilities that the company faces to its investors, and say that AMD should be investigated by the SEC for their security issues.
Like Capitec, Viceroy also claims that AMD is making some creative choices when it comes to bookkeeping, fudging some numbers that mean nothing to look better to their investors, and possibly landing them in legal trouble and risking reputational harm. On this, Viceroy notes: “Make no mistake the AMD growth story is dead.”
While CTS Labs definitely does have some things to say that should worry buyers purchasing AMD systems in bulk, that’s not a worry for consumers like you and me. As long as you have a user account with a strong password, browse the web with an ad blocker, don’t visit fishy sites, use and update your antivirus frequently, don’t allow access from random ports into your system, and keep your operating system up to date, you’ll be okay. No-one’s targeting you because you have limited value to hackers who do this thing professionally.
It’ll be up to AMD and their partners to work on managing their risk and the risk that their clients might carry, and that will be done with care and attention to the risks (presumably). No-one wants to be caught up in this sort of mess, and it’s in everyone’s interests, even CTS Labs, to see security holes plugged and removed from the systems that people come to rely on every day.
And if Viceroy’s goal was to use their report to scare people into selling stocks and causing a drop in price rapidly, giving them room to move in and make a lot of money, they failed. AMD’s stock price barely budged, and it didn’t drop the 6-8% that Intel’s did following the release of Meltdown and Spectre’s press releases. This was another opportunistic move from Viceroy to make money for themselves, and you should always keep in mind that this is their business model if you see them appear online again in another scandal.