The saga of CTS Labs' revelation of 13 (potential) vulnerabilities in AMD's Ryzen and EPYC processors continues. Tom's Hardware managed to get the company on the phone shortly after its disclosure; our sister site, AnandTech, was later able to perform a more thorough phone interview with CTS Labs. AnandTech's Ian Cutress pulled in an outside expert, David Kantor (of Real World Tech), for the call with CTS Labs' Ido Li On (CEO) and Yaron Luk-Zilberman (CFO).
As you can read yourself from the transcription of the call, the interview perhaps raised more questions than it answered about CTS Labs itself--its methods, motivations, and ability to handle the disclosure of critical vulnerabilities--as well as the vulnerabilities it revealed.
As we explained in our previous reporting on CTS Labs' findings, most researchers give companies 90 days to address vulnerabilities before disclosing them to the public. Sometimes these grace periods are extended--Google ended up waiting 200 days to reveal Meltdown and Spectre after a series of delays--but 90 days is the standard. Yet CTS Labs gave AMD roughly 24 hours to examine its findings before they were made public.
That in and of itself is strange, but even if you accept CTS Labs' logic for doing so--it didn't think any of these vulnerabilities could be fixed within 90 days, so instead of allowing people to purchase some purportedly insecure products, CTS Labs decided to disclose the flaws shortly after informing AMD of them--their own statements are inconsistent.
Luk-Zilberman stated that, "In this case we decided that the second option [that is, disclosing vulnerabilities publicly at the same time they alert the company] is the more responsible one, but I would say that in every case that this is the better method." Yet just a few sentences later, he contradicted himself. Cutress asked, "Say, for example, CTS Labs were in charge of finding Meltdown and Spectre, you would have also followed the same path of logic?" Luk-Zilberman replied, "I think that it would have depended on the circumstances of how we found it, how exploitable it was, how reproducible it was. I am not sure it would be the case. Every situation I think is specific."
There were other contradictions and oddities. For example, Luk-Zilberman said that CTS Labs would love to share vulnerability and exploit details with the likes of AnandTech but couldn't because of "Israel export laws," but Cutress' legal contact called that "BS." Cutress also asked CTS Labs if they thought those laws (specious they may be) prevented them from disclosing the vulnerabilities publicly, to which Luk-Zilberman bafflingly replied, "That is an interesting question, I haven’t even thought about that."
CEO On also said, upon being asked, that he couldn't remember if they had prebriefed media before they posted their announcement, which is a ludicrous thing to say. Further, although CTS Labs gave all of its findings to Trail of Bits for confirmation before its announcement, it clearly gave information to others beforehand. That includes the shadowy Viceroy Research, which published a rambling, unhinged takedown of AMD's stock price.
Perhaps most alarmingly, given the severity of its allegations against AMD, CTS Labs seemed to stumble over, mischaracterize, or outright state incorrectly some key pieces of technological information throughout the interview.
None of the above inspires confidence in CTS Labs' ability to handle the disclosure of what it called 13 critical vulnerabilities in AMD products. Whether these problems result from the company's inexperience or from malice is debatable, but in either case (or both cases) it's quite alarming.
It's worth noting that since our own call with CTS Labs, the company has not responded to multiple emails from Tom's Hardware seeking more information about the vulnerabilities, nor did it answer the questions AnandTech emailed after its interview. The company did, however, update the AMDFlaws.com website with a new "clarification" about the vulnerabilities. That clarification wasn't present when the site launched; it took the place of a YouTube video explaining the vulnerabilities.
We should also note that AMD has not yet released an official statement about these vulnerabilities, except to say that it's "actively investigating and analyzing" CTS Labs' report and that it finds it "unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings." The whole situation, and the characters at the center of it, are indeed, unusual.