Little-known Israeli tech firm CTS Labs recently detailed 13 critical security vulnerabilities and manufacturer backdoors in AMD’s EPYC, Ryzen, Ryzen Pro and Ryzen Mobile lines of CPU chips. As expected, the report created quite a stir among cyber-security analysts and industry watchers, not the least because the revelations come so soon after the huge controversy surrounding the Meltdown and Spectre security flaws.
While most security experts are of the opinion that the flaws are ‘real’ and have been accurately described in CTS’ whitepaper, many have been expressing their shock and utmost discomfiture at the fact that the company went against convention and published the details just one day after disclosing them to AMD, barely giving the company a chance to issue security patches.
Now, outspoken tech guru and the creator of the Linux kernel, Linus Torvalds, is taking the lead in flaying the Tel Aviv-based cyber-security startup, calling their security advisory “garbage”, and saying that “it looks like the IT security world has hit a new low“. And that’s just the start of a rather scathing criticism, often tinged with colorful language that Torvalds is well-known for. According to him, “I thought the whole industry was corrupt before, but it’s getting ridiculous”.
While he could have expressed himself in a slightly less abrasive tone, Torvalds may have a point, given that similar views have been expressed by many experts from around the world. According to their argument, the fact that would-be hackers will need physical access to devices with these ‘vulnerable’ CPUs and then gain administrative rights to plant their malware, means that the PCs will have been already compromised much before getting to the malware stage.
Another thing that many of them were already pointing out was the rather off-key disclosure from CTS that the company “may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports”. Now, Torvalds says he also believes that to be case, saying that the whole thing “looks more like stock manipulation than a security advisory to me”.