- Feb 4, 2016
- 2,520
Researchers find 13 vulnerabilities in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded portions of the processor.
Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices.
Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer.
CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. AMD's Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers.
The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days notice, so companies have time to address flaws properly.
At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said.
The revelation of these vulnerabilities come after the emergence of Meltdown and Spectre, security flaws that affected Intel and Arm chips. They caused such a problem for PCs dating all the way back to the last two decades. The vulnerabilities were widespread considering that 77 percent of computer processors are Intel, while AMD takes up 22 percent.
When those two security flaws were announced in January, AMD said it was not affected because of the differences in its architecture. These new security vulnerabilities break down into four categories, according to CTS-Labs co-founder and Chief Financial Officer Yaron Luk-Zilberman.
All of the vulnerabilities essentially allow an attacker to target the secure processor, which is crucial to protecting the sensitive information on your device.
"You're virtually undetectable when you're sitting in the secure processor," Luk-Zilberman said. "An attacker could sit there for years without ever being detected."
What should I do?
It's unclear how long it will take to fix these issues with AMD's processors. CTS-Labs said it hasn't heard back from AMD. The researchers said it could take "several months to fix." The vulnerabilities in the hardware can't be fixed.
Intel and Microsoft are still managing its patches for Meltdown and Spectre, and the fixes have ended up causing more problems, such as bugs that slowed down your computer. These new vulnerabilities could mean similar headaches for AMD-powered devices.
"Once you're able to break into the security processor, that means most of the security features offered are broken," Li On said.