Nowhere is safe now that AMD has suffered its own Meltdown

Chaos reigns as Ryzenfall pits security researchers against each other

AMD Ryzen 5 2400G & Ryzen 3 2200G Review fingers motherboard
Bill Roberson/Digital Trends
Bill Roberson/Digital Trends

(in)Secure is a weekly column that dives into the rapidly escalating topic of cyber security.

On Tuesday, March 13, security firm CTS Labs announced the discovery of 13 flaws in AMD’s Ryzen and Epyc processors. The issues span four classes of vulnerabilities that include several major issues, such as a hardware backdoor into Ryzen’s chipset, and flaws that can completely compromise AMD’s Secure Processor, a chip that’s supposed to act as a “secure world” where sensitive tasks can be kept out of malware’s reach.

The lack of agreement means there’s no way to know when the next flaw will be exposed, who it will come from, or how it will be reported.

This revelation comes just months after the reveal of the Meltdown and Spectre flaws that impacted chips from AMD, Intel, Qualcomm, and others. AMD, whose chips were compromised by some Spectre flaws, came out of the fiasco relatively unscathed. Enthusiasts focused their anger on Intel. Though a handful of class-action lawsuits were filed against AMD, they’re nothing compared to the hoard of lawyers set against Intel. Compared to Intel, AMD seemed the smart, safe choice.

That made Tuesday’s announcement of flaws in AMD hardware even more explosive. Twitter-storms erupted as security researchers and PC enthusiasts argued over the validity of the findings. Still, the information provided by CTS Labs was independently verified by another firm, Trail of Bits, founded in 2012. The severity of the issues can be argued, but they do exist, and they compromise what some PC users had come to view as the last safe harbor.

The wild west of disclosure

The content of CTS Labs’ research would’ve generated headlines in any event, but the reveal’s punch was amplified by its surprise. AMD was apparently given less than 24 hours to response before CTS Labs went public, and CTS Labs has not gone public with all technical details, instead choosing to share them only with AMD, Microsoft, HP, Dell, and several other large companies.

Many security researchers cried foul. Most flaws are disclosed to companies earlier, alongside a timeframe to respond. Meltdown and Spectre, for instance, was disclosed to Intel, AMD, and ARM on June 1 of 2017 by Google’s Project Zero team. An initial 90-day window to fix the problems was later extended to 180 days, but ended ahead of schedule when The Register published its initial story on Intel’s processor flaw. CTS Labs’ decision not to offer prior disclosure has caused speculation that it had another, more malicious motive.

CTS Labs defended itself in a letter from Ilia Luk-Zilberman, the company’s CTO, published on the AMDflaws.com website. Luk-Zilberman takes issue with concept of prior disclosure, saying “it’s up to the vendor if it wants to alert the customers that there is a problem.” That’s why you rarely hear of a security flaw until months after it was uncovered.

Worse, says Luk-Zilberman, it forces a game of brinkmanship between the researcher and the company. The company might not respond. If that happens, the researcher faces a grim choice; keep quiet and hope no one else finds the flaw, or go public with the details of a flaw that has no available patch. Cooperation is the goal, but the stakes for both researcher and company encourage defensiveness. The question of what’s proper, professional, and ethical often collapses into petty tribalism.

Where’s the bottom?

The industry standard for disclosing a flaw doesn’t exist and, in its absence, chaos reigns. Even those who believe in disclosure don’t agree on details, such as how long a company should be given to respond. The lack of agreement means there’s no way to know when the next major flaw will be exposed, who it will come from, or how it will be reported.

It’s like strapping on a life vest as a ship sinks into frigid waters. Sure, the vest is a good idea, but it’s not enough to save you anymore.

Cyber security is a mess, and it’s a mess that’s taken its toll on each of us. While alarming, the new flaws in AMD processors — like Meltdown, Spectre, Heartbleed, and so many others before — will be soon be forgotten. They must be forgotten.

After all, what other choice do we have? Computers and smartphones have become mandatory for participation in modern society. Even those who don’t own them must use services that rely on them.

Every piece of software and hardware we use is, apparently, riddled with critical flaws. Even so, unless you decide to abandon society and build a cabin in the woods, you must use them.

Normally, I’d like this column to end on practical advice. Use strong passwords. Don’t click on links that promise free iPads. That sort of thing. Such advice remains true, but it feels like strapping on a life vest as a ship sinks in frigid arctic waters. Sure. The life vest is a good idea. You’re safer with it than without — but it’s not enough to save you anymore.

Emerging Tech

CES 2019 recap: All the trends, products, and gadgets you missed

CES 2019 didn’t just give us a taste of the future, it offered a five-course meal. From 8K and Micro LED televisions to smart toilets, the show delivered with all the amazing gadgetry you could ask for. Here’s a look at all the big…
Mobile

We tried all the latest and greatest smartphones to find the best of 2019

Smartphones are perhaps the most important and personal piece of tech on the planet. That’s why it’s important to pick the best phone for your individual needs. Here are the best smartphones you can buy.
Computing

Microsoft will end support for Windows 7 one year from now

Microsoft is set to end extended support for Windows 7 on January 14, 2020, putting a halt on the free bug fixes, and security patches for most who have the operating system installed. 
Computing

Intel vs. AMD: Which chipmaker stole the show at CES 2019?

Intel and AMD have been competing for years, but rarely do they both debut something exciting at the same time. Intel vs. AMD at CES 2019 saw both companies step up to the plate. Who served it better?
Computing

Every gaming laptop that was announced at CES 2019, ranked

Looking for a new gaming laptop? You're in luck, as we compiled and ranked all the gaming notebooks that were announced at CES this year. Be sure to take a look at the latest models with AMD or Nvidia chips before you buy.
Computing

Google is giving its G Suite web apps new touches of visual improvements

Your G Suite applications will soon have a different look. Several of the web apps are getting updated with subtle visual improvements inspired by Google's Material Design guidelines. 
Computing

Hackers are scoring with ransomware that attacks its previous victims

Computer viruses are always evolving. In a new one, dubbed "Ryuk," hackers are targeting PCs with ransomware that scours an infected network in order to pinpoint and attack and enterprises with big money.
Computing

An update to Microsoft To-Do will help you keep up with your resolutions

If you're looking to stay productive in 2019, you might want to check out the freshly updated Microsoft To-Do app, now with additional integration with the Windows 10 Start Menu and more.
Computing

Want to save a webpage as a PDF? Just follow these steps

Need to quickly save and share a webpage? The best way is to learn how to save a webpage as a PDF file, as they're fully featured and can handle images and text with ease. Here's how.
Computing

Could the next Microsoft HoloLens be announced at MWC 2019?

After not having a presence at Mobile World Congress for three years, Microsoft is now sending out media invites for a press conference on February 24 during the annual event in Barcelona. Could a next-generation HoloLens be on the way?
Computing

Microsoft to separate Cortana from search with the next version of Windows 10

Changes are on the way for two key features in Windows 10. A separation of Windows 10 search and Cortana will allow Microsoft to more often innovate on each of the features independently.
Computing

Delete tracking cookies from your system by following these quick steps

Cookies are useful when it comes to saving your login credentials and other data, but they can also be used by advertisers to track your browsing habits across multiple sites. Here's how to clear cookies in the major browsers.
Computing

Convert your PDFs into convenient Word documents with Adobe or a free option

PDF files are great, but few document types are as malleable as those specific to Microsoft Word. Here's how to convert a PDF file into a Word document, whether you prefer to use Adobe's software suite or a freemium alternative.
Computing

Nvidia’s next midrange card might be a GTX 1660 Ti, rumors suggest

Nvidia may be working on a non-RTX Turing graphics card called the 1660 Ti. Rumors suggest it will have around 20 percent fewer CUDA cores than the RTX 2060 and will lack ray tracing support.