Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.

Re:Beyond the hype

[phantomfive]

With UEFI, you already shouldn't trust a used computer. That stuff is heavily insecure and difficult to detect.

Re:This

[TheRaven64]

It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.

Not necessarily. Imagine this scenario: You have a secured machine, it is using SecureBoot to verify the bootloader and kernel image, signed using your org's keys. When it boots, the user must enter a pass phrase, which is used to decrypt the keys stored in the TPM to decrypt the hard disk. Without the correct pass phrase, entered into the verified boot loads, you have no way of accessing any of the confidential data on the disk. I'm pretty sure Windows supports this configuration out of the box and I believe that you can do the same with Linux / GRUB.

This setup is incredibly hard to bypass. Except with a vulnerability like this, because no if you have 2 minutes of physical access to the machine, you can reboot into an OS from a USB disk and install persistent malware that can fake the boot attestation, extract the keys when the TPM unlocks them, and access all of the data on the disk. The malware can also establish network connections without the OS being aware of them, so it can exfiltrate the data if there isn't a decent IDS on the network (or it can just let the attacker dump the entire disk contents to a USB drive the next day, or the attacker can take the encrypted disk image the first time and then the malware just needs to transmit the key, which can be hidden as a single HTTPS request and probably not blocked by anything).

How much confidential data is stored on your organisation's computers? How sure are you that your cleaners would say no if someone offered them $100,000 to stick a USB drive in each of the desktops in an office, reboot, and then remove it a couple of minutes later?