Initial AMD Technical Assessment of CTS Labs Research

[phanbuey]

You can force flash just about anything with physical access... If you buy a x79 board from bang good you can be sure that rom is infected...

or if you buy it from lenovo

https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

 

[_Flare]

Pascal VBios can be read and modified and flashed, you just need some hardware-tools.

and with maxwell you need a certificate bypass in nvflash

i flashed dozends of maxwell cards, and modified their Vbios with a hexeditor to get the 2 missing volt-sliders in the maxwellbiostweaker

deleting the shitty VRel-Stuff

 

[Chaitanya]

or if you buy it from lenovo

https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

Basically any chinese products will have backdoors whether its cellphone, router or any other electronic device capable of communicating over network.
https://www.computerworlduk.com/sec...rs-that-heped-kill-faith-in-security-3634220/
http://www.wired.co.uk/article/huawei-nsa-nightmare

 

[phanbuey]

Basically any chinese products will have backdoors whether its cellphone, router or any other electronic device capable of communicating over network.
https://www.computerworlduk.com/sec...rs-that-heped-kill-faith-in-security-3634220/
http://www.wired.co.uk/article/huawei-nsa-nightmare

HOLY...

How is this not a bigger deal?

 

[Shihab]

Basically any chinese products will have backdoors whether its cellphone, router or any other electronic device capable of communicating over network.
https://www.computerworlduk.com/sec...rs-that-heped-kill-faith-in-security-3634220/
http://www.wired.co.uk/article/huawei-nsa-nightmare

You forgot concrete buildings.
https://qz.com/1192493/china-spied-on-african-union-headquarters-for-five-years/

HOLY...

How is this not a bigger deal?

It is. The big three have issued warnings on the case.
http://money.cnn.com/2018/02/14/technology/huawei-intelligence-chiefs/index.html
But after the Kaspersky fiasco, I doubt they could go into full ban mode without first stocking the FUD flames. The bitter taste of PRISM revelations still lingers as well.

 

[Melvis]

So its AsMediaFlaws then?

 

[Chaitanya]

You forgot concrete buildings.
https://qz.com/1192493/china-spied-on-african-union-headquarters-for-five-years/

So chinese copied Russians when it came to spying using concrete.
https://en.m.wikipedia.org/wiki/The_Thing_(listening_device)
https://www.nytimes.com/1988/11/15/world/the-bugged-embassy-case-what-went-wrong.html

If I remember correctly one of the reasons why NSA kept quite over Huawei backdoors was they used it to spy over other countries which were using Huawei routers on their network. Snowden was the one who brought it light and its one of the reasons why he had to flee USA.

 

[laszlo]

"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research "

this answer to all ; only the masterkey attack could remain permanent but can be fixed through bios update

looking forward to see the next cts report for other hardware also .....

 

[R-T-B]

Which is crazy stupid.

I've always maintained hardware security is stupid and just limits your control over your own pc, but no one cares much what frogs think at big name companies...

 

[RejZoR]

So, basically AMD silently confirmed all I've been saying the entire time. CTS made massive drama over nothing just to show off their e-penis, starting with the ridiculous 24 hour time frame for AMD to respond to excuses how they didn't know about the unwritten protocol. It just makes them look unprofessional and most will basically ignore the stuff they post in the future. The fact you need admin access makes this basically a non issue. And the demonstration video they made, they were running it in local network. I'm not expert on networking, but I'm pretty certain one does not just open a powershell and magically connect to a remote system behind firewalls/IPS systems. So, you need actual ability to connect to a remote system which has admin privileges "on" by default. That's about as likely to be exploitable as winning a lottery.

Nothing to see here folks. No, literally nothing to see here. Move on.

 

[lexluthermiester]

CTS made massive drama over nothing just to show off their e-penis

Nothing to see here folks. No, literally nothing to see here. Move on.

I would hardly call a vulnerability that opens an unstoppable and undetectable set of back-doors "nothing". The difficulty of execution doesn't change the fact that it can be done. This is no different that any other vulnerability, such as Meltdown and especially Spectre, and needs to be taken just as seriously.

You proclaiming that it is any less serious than it actually is borders on the deranged and is nothing less than reckless and irresponsible.

 

[Imsochobo]

Pascal VBios can be read and modified and flashed, you just need some hardware-tools.

and with maxwell you need a certificate bypass in nvflash

i flashed dozends of maxwell cards, and modified their Vbios with a hexeditor to get the 2 missing volt-sliders in the maxwellbiostweaker

deleting the shitty VRel-Stuff

Maxwell have tools to bypass certificate, I've done tens of maxwells for people.
Only gpu.. wait, Only hardware I haven't been able to flash custom stuff on in my possession over the years is the vega.

I would hardly call a vulnerability that opens an unstoppable and undetectable set of back-doors "nothing". The difficulty of execution doesn't change the fact that it can be done. This is no different that any other vulnerability, such as Meltdown and especially Spectre, and needs to be taken just as seriously.

You proclaiming that it is any less serious than it actually is borders on the deranged and is nothing less than reckless and irresponsible.

So where is their finding on Intel, IBM, Samsung, Apple ?
it's all in the same ballpark.

 

[ikeke]

I would hardly call a vulnerability that opens an unstoppable and undetectable set of back-doors "nothing". The difficulty of execution doesn't change the fact that it can be done. This is no different that any other vulnerability, such as Meltdown and especially Spectre, and needs to be taken just as seriously.

You proclaiming that it is any less serious than it actually is borders on the deranged and is nothing less than reckless and irresponsible.

Unstoppable and undetectable set of back-doors IF condition a (specific motherboard) b (OS installed on metal, not VM) c (administrative privileges) d (no BIOS password) e (unlimited network access within domain) f (motherboard accepts the modified bios - which they did verify as hit-and-miss) are met.

Again, as pointed out multiple times by multiple contributors, if these conditions are met they allow for anyone to do almost anything within such environment anyway.

 

[ssdpro]

So, basically:

AMD confirms all reported vulnerabilities
AMD sees the vulnerabilities as somewhat substantial and will release updates to patch the vulnerabilities
AMD does not expect any performance decreases (TBD)
AMD needs to improve the efficiency of PR
CTS Labs research was validated
CTS Labs needs to learn and execute best practices and better ethics

End of story for now.

 

[OSdevr]

This is basically AMD's equivalent of the flaws found in Intel's secure processor once it was found to be running Minix.

 

[EarthDog]

So, basically:

AMD confirms all reported vulnerabilities
AMD sees the vulnerabilities as somewhat substantial and will release updates to patch the vulnerabilities
AMD does not expect any performance decreases (TBD)
AMD needs to improve the efficiency of PR
CTS Labs research was validated
CTS Labs needs to learn and execute best practices and better ethics

End of story for now.

Well said. There were many many people who didnt believe these were true at all. Couldnt really blame them, but... there is something to be said for a measured approach to things.

....just looked down, both my hands are pud free...

People are still defending it too...?

 

[RejZoR]

I would hardly call a vulnerability that opens an unstoppable and undetectable set of back-doors "nothing". The difficulty of execution doesn't change the fact that it can be done. This is no different that any other vulnerability, such as Meltdown and especially Spectre, and needs to be taken just as seriously.

You proclaiming that it is any less serious than it actually is borders on the deranged and is nothing less than reckless and irresponsible.

"Difficulty of execution doesn't change the fact that it can be done" By that logic, everything is vulnerable. It doesn't matter how hard it maybe is to exploit it or if there even is anything, but we can just safely assume that everything is and can be exploited. Better remove everything from the market then.

Let me repat it again:

- need to be first capable to connect to a targeted system
- remote system needs to be admin enabled during interaction
- you have to know which board exactly is used in the system to flash it successfully

That's one hell of an "if" factors don't you think? People who think you just open up CMD and type in some gibberish and voila, you're connected like a tr00 hacker need to stop watching movies.

And if you read back my posts, I never said findings are fake. I just said method of publishing it was absolutely retarded and that all the generated drama around it is pointless as severity isn't nearly as high as they make it seem to be. Because of above 3 reasons.

 

[EarthDog]

- need to be first capable to connect to a targeted system
- remote system needs to be admin enabled during interaction
- you have to know which board exactly is used in the system to flash it successfully

Are two of those three things even difficult though? Access to systems aren't a huge hurdle. If you can get #1, #3 is easy.

 

[RejZoR]

Like I've said, accessing remote systems is not what movies show you. You don't just mash the keyboard a bit and boom, you're connected to remote system in 15 seconds. Things don't work that way. Then, if you have no admin privileges, you're basically screwed with this "exploit". You need to find an exploit or vulnerability to escalate privileges which puts this entire Ryzen thing into a secondary tier. It's no longer a primary concern.

Which is why this whole thing is a lot of drama and nothing else. Sure, AMD needs to fix secondary issues with their Secure Processor part, but that's about it. A security problem like any other found on daily basis no one makes massive drama around.

Privilege escalation exploits are the worst. They give you access to protected system without any admin credentials. Here, it is assumed that you have them by default. That's one hell of an assumption that makes the "exploit" ineffective entirely.

Exploit is when you bypass the mechanisms using unconventional methods. What this here is, is a mere design flaw because you need all the privileges an actual official manager of the system would need to make these changes.

 

[EarthDog]

Rej, I understand, completely, what it takes to reach other systems (my question was, I thought, obviously facetious). #1 is 'easy', #3 naturally falls with #1. So you are left, essentially, with admin authority being the most difficult of those three.

We all understand it isn't a huge deal...but a deal that nonetheless needs to be taken care of as they are doing.



On a side note, I wonder if CTS is going to get any jobs after this debacle of theirs? lol

 

[Prince Valiant]

I have to wonder how willing anyone would be to work with CTS after this. If they stick around.

Edit: I see EarthDog beat me to the punch on this.

 

[Patriot]

This is basically AMD's equivalent of the flaws found in Intel's secure processor once it was found to be running Minix.

Almost, except amd pushed an agesa update last year allowing theirs to be turned off after Intels debacle.

 

[RejZoR]

Rej, I understand, completely, what it takes to reach other systems (my question was, I thought, obviously facetious). #1 is 'easy', #3 naturally falls with #1. So you are left, essentially, with admin authority being the most difficult of those three.

We all understand it isn't a huge deal...but a deal that nonetheless needs to be taken care of as they are doing.



On a side note, I wonder if CTS is going to get any jobs after this debacle of theirs? lol

Again, it's a one massive "if" when one step entirely negates the so called "exploit". The point of exploit is that there are no counter-measures until it's patched accordingly. Not having admin access being a show stopper is a laughable prerequisite for something they call an "exploit"...

 

[EarthDog]

Plenty of massive "ifs" have been exploited before. If this wasn't a worry, AMD would have refuted these things instead of acknowledging them, putting them in a proper context, and offering fixes for everything.

It really isn't a big deal many speculated this (many denied there even was an issue), but again, it's a deal that needs to be mitigated none the less.


*shows hands.... pud free*

 

[lexluthermiester]

I just said method of publishing it was absolutely retarded and that all the generated drama around it is pointless as severity isn't nearly as high as they make it seem to be. Because of above 3 reasons.

That doesn't prove that it can't be done, it only proves your lack of proper understand of the problems and the severity of same.

If this wasn't a worry, AMD would have refuted these things instead of acknowledging them, putting them in a proper context, and offering fixes for everything.

Absolutely correct.