Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices.
Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer.
The majority of these vulnerabilities require administrative access to work, meaning that an attacker would need to have control of your machine through some type of malware first. But even with administrative access, putting the malware on the secure processor itself has a higher potential for damage that a normal attack wouldn't.
CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers.
The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for at least 90 days' notice so that companies have time to address flaws properly. For comparison, Google's researchers gave Intel six months to fix issues related to Spectre and Meltdown.
Disclosing a vulnerability to the public without giving a company enough time to fix it can be irresponsible, as it leaves the flaws open for attackers to use without giving companies enough time to fix them. Imagine somebody telling your entire neighborhood there's a hole in your fence just 24 hours after letting you know.
"At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said.
Critics have also pointed out that CTS-Labs' legal disclaimer mentions a potential conflict of interest.
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased," the disclaimer says, "you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
CTS-Labs didn't respond to a follow-up email about the disclaimer.
The revelation of these vulnerabilities comes after the emergence of Meltdown and Spectre, security flaws that affected Intel and Arm chips, which affected a huge number of PCs dating back two decades. According to researcher Statista, 77 percent of computer processors are from Intel, while AMD accounts for 22 percent.
When the Meltdown and Spectre flaws were revealed in January, AMD said it was not affected because of the differences in its architecture.
These new security vulnerabilities break down into four categories, according to CTS-Labs co-founder and Chief Financial Officer Yaron Luk-Zilberman. All essentially allow an attacker to target the secure segment of a processor, which is crucial to protecting the sensitive information on your device.
Security researchers also criticized the published white paper for lacking any technical details describing the vulnerabilities. CTS-Labs said they sent their technical report to Dan Guido, an independent security researcher and the CEO of Trail of Bits.
He said the company sent him the details last week, and noted that they were legitimate threats.
Guido also said CTS-Labs paid him the company's "week rate for the work."
"You're virtually undetectable when you're sitting in the secure processor," Luk-Zilberman said. "An attacker could sit there for years without ever being detected."
Here's a breakdown:
When a device starts up, it typically goes through a "secure boot" process. It uses your processor to check that nothing on your computer has been tampered with, and only launches trusted programs.
The Master Key vulnerability gets around this startup check by installing malware on the computer's BIOS, part of the computer's system that controls how it starts up. Once it's infected, Master Key allows attackers to install malware on the secure processor itself, meaning they'd have complete control of what programs are allowed to run during the startup process.
From there, the vulnerability also allows attackers to disable security features on the processor.
This vulnerability specifically affects AMD's Ryzen chips and would allow malware to completely take over the secure processor.
That would mean being able to access protected data, including encryption keys and passwords. These are regions on the processor that a normal attacker would not be able to access, according to the researchers.
If attackers can bypass the Windows Defender Credential Guard, they could use the stolen data to spread to other computers within a network. Credential Guard is a feature for Windows 10 Enterprise, which stores your sensitive data in a protected section of the operating system that normally can't be accessed.
"The Windows Credentials Guard is very effective at protecting passwords on a machine and not allowing them to spread around," Luk-Zilberman said. "The attack makes spreading through the network much easier."
Like Ryzenfall, Fallout also allows attackers to access protected data sections, including Credential Guard. But this vulnerability only affects devices using AMD's EPYC secure processor. In December, Microsoft announced a partnership with for its Azure Cloud servers using EPYC processors.
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule," a Microsoft spokesperson said.
These chips are used for data centers and cloud servers, connecting computers used by industries around the world. If attackers used the vulnerabilities described in Fallout, they could steal all the credentials stored and spread across the network.
"These network credentials are stored in a segregated virtual machine where it can't be accessed by standard hacking tools," said CTS-Labs CEO Ido Li On. "What happens with Fallout is that this segregation between virtual machines [is] broken."
Segregated virtual machines are portions of your computer's memory split off from the rest of the device. Researchers use them to test out malware without infecting the rest of their computer. Think of it as a computer inside your computer.
With Credential Guard, sensitive data is stored there and protected so that if your computer was infected by normal malware, the malware wouldn't be able to access that data.
Chimera comes from two different vulnerabilities, one in firmware and one in hardware.
The Ryzen chipset itself allows malware to run on it. Because Wi-Fi, network and Bluetooth traffic flows through the chipset, an attacker could use that to infect your device, the researchers said. In a proof-of-concept demonstration, they said, it was possible to install a keylogger, which would allow an attacker to see everything typed on an infected computer.
The chipset's firmware issues mean that an attack can install malware onto the processor itself.
"What we discovered is what we believe are very basic mistakes in the code," said Uri Farkas, CTS-Labs vice president of research and design.
What should I do?
It's unclear how long it will take to fix these issues with AMD's processors. CTS-Labs said it hasn't heard back from AMD. The researchers said it could take "several months to fix." The vulnerabilities in the hardware can't be fixed.
Intel and Microsoft are still managing patches for Meltdown and Spectre, and the fixes have ended up causing problems, including slower performance on affected computers. These new vulnerabilities could mean similar headaches for AMD-powered devices.
"Once you're able to break into the security processor, that means most of the security features offered are broken," Li On said.
Updated at 1:22 p.m. PT: To include details from CTS-Labs' legal disclaimer.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.