13 Critical Security Vulnerabilities and Manufacturer Backdoors discovered In AMD Ryzen Processors

I can't remember the last time I have seen something so scripted and so shady before. I hope both AMD and Intel fans can see the true nature of this supposed breaking story. It's just Intel's money hard at work paying people to find security flaws that the rest of the world would have never found or exploited for that matter. It is CTS Labs that has brought this to the attention of would be hackers. Intel's chips went ten years before being discovered, and who was it that discovered them and told the world about it, security firms. If these vulnerabilities ever get used now we can blame the security research teams for making them known.

Thanks Intel, keep spending your money on these efforts to find flaws in your competitors products. I will NEVER listen to or take seriously a research firm based in Israel. They will say whatever they are paid to say, period...

 

^wait what ? not even on med cannabis?

funny back in the 90's I had customer whose son got himself some penny stock online then proceeded to blab all over the place about these stocks ready to go up.
he made 1 mil.then he got busted for his age. he got fined 100k then they changed some laws for things like that because of him.
sure they were poised to do it anyway beforehand but that really made them do it pronto.

 

Lets step back a bit. Both AMD and Intel have been scrutinized with vulnerability allegations. Who has the most to gain by trying to convience the market that CPU's from those companies are "risky business" right now?

 

Suddenly,again the magic number: Thirteen.No skulls,no weird signs,just the magic of Thirteen.

Back to topic,Fake News at best. Israeli "researchers" fake news straight from Intel Corp.Bad move,Intel.
That picture from their "office" is marvelous.
That punks from @viceroyresearch needs to be granted with a big punch.

Thanks,Mr Hilbert.You did a good job with these fake news.

Spoiler: Fishy

 

they got holes in alpha and music is from audiojungle, hair is keyed quite good, despill is perfect.. its average work for 2 days, maybe one day if you have money, ok, preparation maybe took longer
they did it in hurry because those holes..
someone want scare people

 

Talk about Fake News...what a bunch of malarkey... Has it come down to web sites blindly publishing "stories" from unknown sites and unknown companies that only recently popped into existence? I'd rather not see this kind of crap as the Internet has enough of that of late. Unreal.

 

Hi all,

Just to add up a few words from my side, which everyone might find interesting.

It doesn't matter where exactly I work, but there are all the heads of Intel currently in Dublin on Intel's Round Table meeting 2018.

They have a Conference in Westin Hotel at Dame Street.

What is unusual while talking with one of the people from there today is that the guy mentioned that the actual amount of head staff from Intel and activity they have for this year was organized and set in the last two weeks almost over night + they never ever meet here in Dublin, almost always in Germany or somewhere else.

He also said he doesn't know why all the heads were brought in, as well as majority of the Conference is held behind the closed door between them.

Say what you want, but the actual event is holding place from today 14.03.2018. and now this news as well.

Something really fishy is going on here. This is my two cents to try and shed some light on things going on beside the actual website and Ryzen's 1st year from release being yesterday.

 

"WHOA!.!.!.!" ( MIND BLOWN....)

Makes sense to me.

 

I just don't understand whats going on with publishing these vulnerabilities. First Intel and AMD, now just AMD.

Why publish vulnerability now? Did Intel and AMD run out of time to fix these issues? Did documents got leaked? Is it already wide known on dark side of the Internet?

Publishing will cause panic and action, but is it rightly timed?

 

Remember a time when your biggest worry about your PC building hobby was should you get the white metal flat case this time and break conventions, or just stick with the grey flat case. lol

How times have changed.

 

I think that was precisely the point. Somebody (probably Viceroy Research) was looking to profit from dropping this bombshell, making it look like AMD had serious problems which would cause the stock to tank. If that was the motive then it backfired, as the stock rose instead.

The exploits, as described, don't seem all that serious as they require the systems to already be compromised. From what I've read, the main issue seems to lie with what happens when a hacker gains admin access, making the exploit much worse (e.g., installing malware that continues to exist after a format/wipe). This may indeed be something that AMD needs to look into, but for users who have implemented strong security measures already, it's more-or-less a non-issue. At any rate, it's nothing close to the severity of the Meltdown and Spectre exploits from earlier this year.

I'm hoping we'll know more in the coming days, but it's looking increasingly like someone was trying to manipulate the stock. Hopefully the SEC has a good look and fines whoever is responsible. I'm also sure that AMD will respond soon, and we'll have to see what they say.

EDIT: Oh, and I'd like to add, I don't think Intel was involved in this. Although they've been known to resort to shady/illegal tactics in the past, I don't see this as something they would engage in, especially considering the shoddy/amateurish nature of the actors involved. It's possible that they had some sort of hand in it (can't know for sure at this point) but I wouldn't consider them as the prime instigators. Again, we'll hopefully know more as times goes on.

 

that 24hours "blackmail" is BS
i mean amd doesnt need to reply within that... as what important is "proving" whether vulnerabilities is real or not... why need to rush ?
say they(CTS-Labs) will publish vulnerabilities after 24hours... it still mean nothing if it no proved to work... and "proof-of-concept" not always real-vulnerabilites imho

i personaly... not really care much about lately security news...
spectre-meltdown... then few weeks ago vulnerabilites in utorrent ... then today this...

cmon there no complete/perfect secure in first place anyway.... if we look deep there will always flaws ... thats is human-made

 

Hilbert, the title of your article is doing a lot to help this shady company hurt AMD. You should rephrase it and make it clear that these are unverified claims by a more than shady company. Their domain is registered through Domains By Proxy, a GoDaddy partner that hides the registrant's actual data. Not to mention that they took their website down.

Wccftech (and others) were a lot less sensationalist about this, avoiding the clickbait title on their original article and have already followed it up with another one:

The Low-down On Bizarre AMD Security Exploit Saga – You Will Want To Read This

"That’s not in itself something to get the pitchforks out for, but this is where it turns malicious. CTSLab’s reports were cited by a research firm called “Viceroy Research” in a 33-page document published just 2 hours 50 minutes ago (according to PDF metadata as inspected by Ian) after the former went live and with the headline of “AMD: The Obituary”. You can read the full report by Viceroy Research over here.

A quick lookup reveals Viceroy Research (VR) is a short group that gained notoriety (fame?) during the Capitec Bank saga in which they caused a massive downward correction in the banks stock and successfully executed a short play (thanks Wesley)."

 

Google the company's phone number.... It's a "security firm" based in Israel....but yet, the company's phone number is a mobile number based in New York, assigned by Verizon Wireless.

So, to summarize. A company based in Israel, has a service contract with Verizon Wireless for a cellphone and a number assigned in Rochester, New York.... So, why would a legitimate company, based in Israel, have a US cellphone contract (through Verizon Wireless) with a New York area code as it's only method of contact aside from e-mail? (more below...)

The "CFO" of the "company" is also a hedge fund manager at NineWells Capital Management, so he most likely has a financial stake in causing damage to AMD's stock price. NineWells Capital Management is also based in New York, NY....and CTS_Labs uses a New York based cellphone number for their business number, even though the company is supposedly based in Tel Aviv.... Coincidence there? I'd be willing to bet that the CTS_Labs company number is owned by Yaron Luk-Zilberman, the CFO of CTS_Labs, personally.

Gotta love the response from a Google Security Research (Arrigo Triulzi) there....

AMD's PSP and fTPM do have security flaws. The Google Cloud Security Team reported to have found security flaws in AMD's PSP and fTPM a few months ago, and reported them to AMD at the time. There's actually a (very brief) thread about it in another section of the forum and it's quite easy to find from a quick Google search. Here's the thread:
https://forums.guru3d.com/threads/amd-platform-security-processor-vulnerability.418812/

 

Looks like the gig is up.
https://www.moneyweb.co.za/in-depth/investigations/viceroy-unmasked/
http://www.afr.com/markets/viceroys...d-after-leaving-digital-trail-20180118-h0kjk3

 

Wait, what?

I find it funny how instantly the guys claiming this are the bad ones, while nobody even remotely considers this to be true. Talk about biased. Let's wait and see what AMD has to say to the exploits themselves.

 

Important part is:
They require full access to system 1st => can't care less.
Connected to claim that AMD stock has real $0 value.

Read: Unsubstantiated attack on AMD's stock.

 

I personally don't believe it, seems like it is most likely an Intel plot to discredit AMD or some nut jobs. If it is true then I rather hear it from AMD and hear what they have to say about it. The 24 hours seems messed up and discredits it for that is not the protocol. I hope they can fix it if it is true, still it seems like it needs admin privileges anyways, so yeah.

You would think when all the bad Intel exploits went down AMD would of looked into all of this stuff on their own CPU's pretty hard core.

Who knows hey, will see soon enough I guess, right now I am with Hilbert and I am writing it off as what ever.

 

Thanks, I was about to post that first link.

 

Then AMD just needs to debunk the exploits. As easy as that. I couldn't care less about their stock value tbh, I want to know if I can switch to Ryzen 2 when it comes around or if it's just as insecure as Intel CPUs.