Israel-based CTS Labs, a cybersecurity company that published over a dozen security flaws in AMD chips last week after giving the chipmaker only a 24-hour warning, is standing behind its report. "We’re coming from a position, but that doesn't mean we're wrong," CTS' chief financial officer Yaron Luk-Zilberman said in an interview with Calcalist Wednesday.
For daily updates, subscribe to our newsletter by clicking here.
CTS publically released its report last Tuesday, detailing 13 security vulnerabilities in AMD chips that require administrative access for exploitation. The startup made its announcement only 24 hours after notifying AMD, instead of giving the company the 90-days advance notice customary in the industry, leading to widespread critical backlash. The heaviest criticism leveled at CTS came about as a result of a 25-page report slamming AMD released only three hours after the publication of the vulnerabilities by Viceroy Research, a company known for shorting stocks. In its report Viceroy Research claimed the flaws discovered would force the chipmaker to file for bankruptcy.
Investors proved indifferent to the reports, and by last Tuesday market close AMD’s stock was up 1.2% on Nasdaq.
In January, a team of Google security researchers published the details of two separate security flaws affecting a wide range of chips by Intel, and AMD. Dubbed “Meltdown” and “Spectre,” the flaws render the chips vulnerable to hacking. Google’s team approached the companies in 2016 as did an independent team of academic researchers that also identified the vulnerabilities. Following the public announcement, Intel, AMD, Microsoft, Apple, and Linux started rolling out security patches.
On Tuesday, AMD acknowledged the vulnerabilities published by CTS in a blog post, emphasizing that actual exploitation is far from trivial and would require administrator access. The company also said it planned to release patches to fix some of the flaws.
Mr. Luk Zilberman denied direct affiliations with Viceroy Research in the interview with Calcalist. "We do not have any connection to Viceroy Research, it is not a client of ours and we did not provide them with anything," Mr. Luk-Zilberman said in the interview with Calcalist. "If the findings ended up in their hands it was not our doing. To my understanding, they claim they received our research through one of our clients."
CTS, a company founded in 2017 was founded by four veterans of technology units in Israel’s military. The company now employs six people.
The company was also criticized in for contracting only one relatively obscure security firm, Trail of Bits, to verify its findings.
Since the publication of its reports, CTS executives claimed in several interviews that the company chose to notify AMD only a short time before the intended release of the report as it was trying to make the chipmaker react in a hasty manner for the benefit of the industry at large. The claim has been met with severe skepticism.
Mr. Luk-Zilberman said CTS sold some of the information to clients prior to the publication in the interview with Calcalist, adding that the company did not provide its customers with a detailed technical account of the vulnerabilities but rather with a general description of the problems. The company first started researching the problems, and only later started looking for potential customers to finance the ongoing research, which took eight months, he said.
"Our potential clients knew from the start that it was about AMD, because they needed to know what they were buying,” Mr. Luk-Zilberman said.