When the Spectre and Meltdown vulnerabilities were revealed in millions of processors earlier this year, those deep-seated vulnerabilities rattled practically the entire computer industry. Now a group of Israeli researchers is outlining a new set of chip-focused vulnerabilities that, if confirmed, would represent another collection of flaws at the core of computer hardware, this time in a processor architecture designed by AMD. But the researchers now also face their own questions: about the hype they're piling onto those revelations, the timing of their disclosure to AMD, and even their financial motivations for their work.

On Tuesday morning, hardware security firm CTS Labs published a paper and website pointing to four new classes of attack that the company says are possible against AMD chips in both PCs and servers. Together, they seem to offer an array of new methods for hackers who have already gained significant access to a computer running AMD's "Zen" processor architecture. At their worst, the vulnerabilities as described would allow attackers to bypass security safeguards against tampering with the computer's operating system, and potentially plant malware that evades practically any attempts to detect or delete it on AMD chips.

"We believe that these vulnerabilities put networks that contain AMD computers at a considerable risk," reads a paper published by the CTS researchers. "Several of them open the door to malware that may survive computer reboots and reinstallations of the operating system, while remaining virtually undetectable by most endpoint security solutions. This can allow attackers to bury themselves deep within the computer system and to potentially engage in persistent, virtually undetectable espionage."

'The lack of details makes it unverifiable.' Ben Gras, Free University of Amsterdam

But in an unusual move, the CTS researchers shared their full findings with AMD only a day before going public, practically blindsiding the company. The typical disclosure window lasts for months, to give affected manufacturers a chance to address the issues. They also released their paper with almost no technical details that would allow anyone to reproduce the attacks they describe. And CTS includes an unusual disclaimer on its website that it may have "an economic interest in the performance of the securities of the companies" implicated in its reports, raising concerns from security analysts that they could benefit from a drop in AMD's stock price.

"It's kinda hard to parse it all at face value, because I don't think they are acting in good faith, and the lack of details makes it unverifiable," wrote Ben Gras, a hardware security researcher at the Free University of Amsterdam. "It makes me worry that even the impact may be reported in an inflated way."

Security researcher Arrigo Triulzi described the research in simpler terms on Twitter: "over-hyped beyond belief."1

Real Bugs

Hyped or not, the CTS researchers appear to have found real vulnerabilities in AMD's Zen architecture chips, which they break down into four classes of attack called Ryzenfall, Masterkey, Fallout and Chimera.

The first three of those techniques, they say, take advantage of security vulnerabilities in AMD's Secure Processor, a separate processor within AMD chips designed to perform independent security checks on its operations. If a hacker has administrative privileges on a target machine, CTS's attacks allow them to run their own code on those secure processors. That would allow attackers to circumvent safeguards like secure boot protections, which protect the integrity of the operating system when it loads, as well as Windows' credential guard, which prevents hackers from stealing passwords out of memory. The attacks might even allow hackers to plant their own malware in those secure processors, spying on other elements of the computer while entirely evading antivirus, and even persisting after reinstallation of the computer's operating system.

In Chimera, the last of the four attacks, the researchers say they exploited not a mere bug, but a backdoor. CTS says it discovered that AMD uses a chipset sold by the Taiwanese firm ASMedia to handle the operation of peripheral devices. The researchers say they had earlier found that ASMedia's chipset had a function that allowed someone with access to a computer to run their own code on that peripheral chipset, seemingly as a debugging mechanism left in by the developers. That debugging backdoor had apparently been left in not only in ASMedia's products, but in AMD's too. As a result, a hacker with administrative privileges on a machine could plant malware in those obscure peripheral chips, potentially using them to read the computer's memory or network data. And since the backdoor is built into the chip's hardware design, it may be impossible to fix with a mere software patch.