As you may have heard, this week a security company that sprang out of nowhere claims that it’s discovered more than a dozen vulnerabilities in its EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile chips. What made the claims worthy of raising an eyebrow or two was the fact that CTS, the Israeli research organization that published the report, gave AMD just 24 hours’ notice before going public.
“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” said AMD. “At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.”
- Unfortunately for AMD, those attacks appear to have been independently verified as legitimate, though they do require physical or administrative rights – but if achieved they enable (via ARS Technica):
- Running persistent malware inside the AMD Secure Processor that’s impossible—or nearly impossible—to detect
- Bypassing advanced protections such as AMD’s Secure Encrypted Virtualization, Firmware Trusted Platform Module, and other security features, which are intended to secure systems and sensitive data in the event that malware infects a computer’s operating system
- Stealing credentials a vulnerable computer uses to access networks
- Physically destroying hardware by attackers in hardware-based “ransomware” scenarios
“All the exploits work as described,” Dan Guido, a chip security expert and the CEO of security firm Trail of Bits, told Ars Technica. “The package that was shared with me had well-documented, well-described write-ups for each individual bug. They’re not fake. All these things are real. I’m trying to be a measured voice. I’m not hyping them. I’m not dismissing them.”
It does, however appear that the research firm may have ulterior motives. Buried in its report CTS says it “may have, either directly or indirectly, an economic interest in the performance” of AMD stock. Now, Viceroy, the stock-shorting company that brought down Steinhoff and tried the same with Capitec has said that AMD is effectively worthless. In a new report, the stock shorters have said that AMD is on its knees.
“Make no mistake, the AMD growth story is dead,” said Viceroy.“We believe AMD is worth $0.00 and will have no choice but to file for bankruptcy.”
The company says that AMD’s chip issues are unpatchable or will take months to fix, and that the only recourse is an expensive product recall.
“The biggest hurdle Viceroy perceives is time. From discussions with experts: in the most optimistic of scenario it will take AMD many months to patch vulnerabilities on its devices.
Viceroy also believes that AMD executives have been selling off stock riding AMD’s highs.
“Since November 2016, AMD’s CEO, Lisa Su, has sold over 2.8 million shares of AMD, amounting to $30 million. In total, the management team has sold over 9 million shares of AMD since November 2016.”
There’s a lot more in the full report to suggest that AMD has employed a bit of creative accounting to make itself look more profitable than it actually is. That said, this all seems like an assassination to make money. After Viceroy’s report on Capitec was largely shown (inconclusively!) to be unfounded, Viceroy’s profiteering motives have been a little more apparent. AMD’s stocks haven’t moved much since the reports, dropping slightly.
Last Updated: March 15, 2018