{"id":14711,"date":"2018-03-17T13:33:04","date_gmt":"2018-03-17T20:33:04","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=14711"},"modified":"2018-03-17T13:33:04","modified_gmt":"2018-03-17T20:33:04","slug":"security-bits-amd-bugs-amd-gets-its-turn-in-the-spotlight-ryzenfall-masterkey-fallout-chimera-graykey","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/03\/security-bits-amd-bugs-amd-gets-its-turn-in-the-spotlight-ryzenfall-masterkey-fallout-chimera-graykey\/","title":{"rendered":"Security Bits &#8211; AMD Bugs (AMD Gets Its Turn in the Spotlight (RyzenFall, MasterKey, Fallout &#038; Chimera) &#038; GrayKey"},"content":{"rendered":"<h3>Spectre\/Meltdown Update<\/h3>\n<ul>\n<li>Microsoft have removed the special registry flag which prevented the Spectre\/Meltdown patches being applied on machines without AV that explicitly declares itself compatible with the patch. This approach made sense early in the response to these bugs, but it did have an undesirable side-effect, a machine with no AV would never get patched. That&#8217;s no longer the case now \u2014 <a href=\"https:\/\/arstechnica.com\/gadgets\/2018\/03\/patch-tuesday-drops-the-mandatory-antivirus-requirement-after-all\/\">arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/gadgets\/2018\/03\/intel-outlines-plans-for-meltdown-and-spectre-fixes-microcode-for-older-chips\/\">Intel outlines plans for Meltdown and Spectre fixes, microcode for older chips \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>Security Medium 1 \u2014 AMD Gets Its Turn in the Spotlight (<em>RyzenFall<\/em>, <em>MasterKey<\/em>, <em>Fallout<\/em> &amp; <em>Chimera<\/em>)<\/h3>\n<p>Details are still a little sketchy, and the more we learn, the more some aspects of this story begin to smell a bit fishy, but regardless, it does seem that there are indeed 13 critical security vulnerabilities affecting many AMD CPUs, and they 13 vulnerabilities can be grouped into four named collections of related bugs, <em>RyzenFall<\/em>, <em>MasterKey<\/em>, <em>Fallout<\/em> &amp; <em>Chimera<\/em>.<\/p>\n<p>At the moment it seems none of these bugs can be remotely exploited, so an attacker would need another way into the computer before they can leverage one or more of these bugs to get up to mischief. Put another way, on their own these bugs don&#8217;t seem to pose an imminent danger, but combined with a remove code execution bug they could prove quite potent.<\/p>\n<p>The first thing that really smells fishy about this story is that the security firm that published the flaws registered the domain name for the bug a month ago, but only gave AMD and handful of other companies including Microsoft 24 hours notice before going public. The next thing that really smells fishy is that it appears the security firm which published the bugs directly profited from doing so by shorting AMD on the stock market.<\/p>\n<p>Many security researchers are describing these bugs as &#8216;overhyped&#8217;, and Linus Torvalds has been absolutely scathing in his condemnation of how this all went down \u2014 <em>&#8220;It looks more like stock manipulation than a security advisory to me&#8221;<\/em>.<\/p>\n<p>The bugs affect AMD\u2019s EPYC server CPUs, Ryzen workstation CPUs, and Ryzen Pro &amp; Ryzen mobile CPUs. Some of the bugs affect the <em>security gatekeeper<\/em> AMD&#8217;s equivalent of Apple&#8217;s <em>Secure Enclave<\/em>, and others affect AMD&#8217;s <em>Ryzen chipset<\/em> which provides connectivity between the affected CPUs and connected peripherals like network and wifi chips. Most of the bugs are firmware bugs, but some are hardware bugs, and hence, possibly un-fixable. Some are being described as intentional back doors.<\/p>\n<p>Right not it&#8217;s not at all clear whether or not this is anything near as big a deal as it sounded initially. For now there are no actual attacks in the wild, and no patches of any kind (how could there be with such irresponsible disclosure!). There doesn&#8217;t seem to be any reason to panic, all we can really do for now is wait and see how this develops over the coming days, weeks, and months.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/threatpost.com\/amd-investigating-reports-of-13-critical-vulnerabilities-found-in-ryzen-epyc-chips\/130404\/\">AMD Investigating Reports of 13 Critical Vulnerabilities Found in Ryzen, EPYC Chips \u2014 threatpost.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/amd-investigating-ryzenfall-masterkey-fallout-and-chimera-cpu-vulnerabilities\/\">AMD Investigating RyzenFall, MasterKey, Fallout, and Chimera CPU Vulnerabilities \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2018\/03\/amd-processor-vulnerabilities.html\">13 Critical Flaws Discovered in AMD Ryzen and EPYC Processors \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techreport.com\/news\/33379\/cts-labs-defends-its-public-disclosure-of-amd-vulnerabilities\">CTS Labs defends its public disclosure of AMD vulnerabilities \u2014 techreport.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.techrepublic.com\/article\/amd-cpu-vulnerabilities-published-by-unknown-security-firm-after-24-hours-notice\/\">AMD CPU vulnerabilities published by unknown security firm after 24 hours notice \u2014 www.techrepublic.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cnet.com\/news\/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own\/\">AMD allegedly has its own Spectre-like security flaws \u2014 www.cnet.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.wired.com\/story\/amd-backdoor-cts-labs-backlash\/\">Researchers Point to an AMD Backdoor\u2014And Face Their Own Backlash | WIRED \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/bj5wy4\/amd-flaws-viceroy-short-selling-stock-market\">Can AMD Vulnerabilities Be Used to Game the Stock Market? &#8211; Motherboard \u2014 motherboard.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/www.zdnet.com\/article\/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report\/\">\u200bLinus Torvalds slams CTS Labs over AMD vulnerability report \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 <em>GrayKey<\/em><\/h3>\n<p>Last time we reported on controversial Israeli security firm Cellebrite&#8217;s new product offering which claims it can unlock modern iPhones running modern versions of iOS, including the iPhone 8 and the iPhone X running iOS 11.<\/p>\n<p>Details of exactly what Cellebrite can do, how long it takes, and what its success rate are were unclear then, and remain so now. Really, we just have marketing materials to go on. Cellebrite offer their unlocking product as a service, not as a device or piece of software that law enforcement agencies can use themselves. Instead, they have to send the phones they want un-locked to Cellebrite who then do their thing in private.<\/p>\n<p>There have been reports circulating about a physical device known as <em>GrayKey<\/em> being sold to law enforcement agencies for use at their own facilities by a US security firm named <em>Grayshift<\/em>. Details of this product have been really sketchy because no even the marketing materials are publicly available, instead, they are protect by a portal that only allows law enforcement agencies enter.<\/p>\n<p>However, this week, details of <em>GrayKey<\/em> have leaked out, so we now know a lot more about how the product works.<\/p>\n<p>It&#8217;s a physical box with two lightning ports. You plug two phones to be cracked into the box at the same time, wait two minutes, then remove the phones. They won&#8217;t be immediately cracked, instead, it will take a few hours for a phone locked with a 4-digit PIN, and a few days for a phone locked with a 6-digit PIN. One assumes it would take much longer for a phone with a strong alphanumeric password, if it works at all.<\/p>\n<p>When the crack succeeds the phones display some information on their screens including a passcode that can be used to unlock the device. At that point all the data can be downloaded from the phone into the <em>GrayKey<\/em> device, from whence it can be accessed by the crackers. The entire disk appears to be decrypted, as does the keychain.<\/p>\n<p>The bottom line remains the same as it was last time \u2014 no need to panic at the moment. This could develop into a real problem facing regular folks in the real world, but it hasn&#8217;t done so yet, and may very well never do so. For now, we need to simply wait and see how things develop.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/07\/second-company-claims-it-can-unlock-iphone-x\/\">Second company claims it can unlock iPhone X \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/security-world\/2018\/03\/graykey-iphone-unlocker-poses-serious-security-concerns\/\">GrayKey iPhone unlocker poses serious security concerns \u2014 blog.malwarebytes.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>March&#8217;s Patch Tuesday has been and gone with critical updates for Flash, and Windows \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/03\/flash-windows-users-its-time-to-patch\/\">krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li>The Windows patches include an important update for RDP (Remote Desktop Protocol) users \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/15\/microsoft-patches-rdp-vulnerability-update-now\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>The US Treasury Department has issued a scam alert to warn users that the US Government will <strong>never<\/strong> ask citizens to pay back-taxes with iTunes gift cards. This is in response to a spate of phishing attacks attempting to trick Americans into believing they owe back-taxes, and, paying them to the attackers in the form of iTunes gift cards. (<strong>Editorial by Bart:<\/strong> while this is an American story, I&#8217;m pretty sure the same advice applies world-wide, no legitimate government agency is going to demand you pay your taxes in the for of iTunes gifts!) \u2014 <a href=\"https:\/\/www.macobserver.com\/columns-opinions\/editorial\/psa-treasury-scam-alert-itunes-cards\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>The US government has blamed the Russian government for a years-long campaign of cyber attacks against the US power grid \u2014 <a href=\"https:\/\/www.reuters.com\/article\/us-usa-russia-sanctions-energygrid\/trump-administration-blames-russia-for-cyber-attacks-targeting-energy-grid-idUSKCN1GR2G3\">www.reuters.com\/\u2026<\/a><\/li>\n<li>Facebook publicly promises not to share WhatsApp data with Facebook unless and until it can do so without breaking GDPR \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/16\/facebook-we-wont-share-data-with-whatsapp-yet\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Facebook have started to automatically upgrade links posted by users to HTTPS when possible \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/09\/facebook-says-let-me-get-that-for-you-secures-your-links\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/apple-families-webpage\/\">Apple Intros \u2018Families\u2019 Webpage with Kid-safe Computing Tips \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>A chilling practical example of how iPhone thieves use social engineering to try trick victims into giving up their iCloud login details, and hence, into defeating activation lock \u2014 <a href=\"http:\/\/www.loopinsight.com\/2018\/03\/06\/my-wifes-iphone-x-was-snatched-out-of-her-hand-in-clerkenwell-just-over-a-week-ago\/\">www.loopinsight.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/private-browsing-mode\/\">Private Browsing Mode isn\u2019t Just for Porn \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/disable-face-id-for-specific-apps\/\">Here\u2019s How to Disable Face ID for Specific Apps \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/15\/former-equifax-exec-charged-with-stock-dumping-before-breach-disclosure\/\">Former Equifax exec charged with stock dumping before breach disclosure \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>A bug in Memcached combined with a glut of insecurely configured instances leads to record-breakingly massive new DDOS attacks\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/05\/worlds-largest-ddos-attack-thwarted-in-minutes\/\">World\u2019s largest DDoS attack thwarted in minutes \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/03\/powerful-new-ddos-method-adds-extortion\/\">Powerful New DDoS Method Adds Extortion \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>FireFox continue to improve privacy in their browser\n<ul>\n<li>The latest version improves control over push notification requests \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/15\/firefox-makes-it-easy-to-banish-push-notifications\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>From version 62 onwards, two privacy-sapping but rarely legitimately used APIs will be removed \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/13\/firefox-turns-out-the-lights-on-two-privacy-sucking-features\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/15\/youtube-conspiracy-videos-to-get-links-to-wikipedia-and-other-sources\/\">YouTube conspiracy videos to get links to Wikipedia and other sources \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The MoviePass CEO plunged the company into controversy when he bluntly stated that the company tracks users as the go to and from cinemas. The company later <em>clarified<\/em> his remarks, saying it was just something they company was considering. (<strong>Editorial by Bart:<\/strong> It&#8217;s hard to know what&#8217;s really going on here, so I&#8217;ll just link to some coverage of the story and let you make up your own mind)\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2018\/03\/05\/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies\/\">MoviePass CEO proudly says the app tracks your location before and after movies \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/columns-opinions\/editorial\/psa-moviepass-app-tracks-where-you-drive\/\">PSA: MoviePass App Tracks Where You Drive Before and After Movies \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/07\/we-know-all-about-you-moviepass-ceo-admits-to-tracking-users\/\">\u2018We know all about you\u2019 \u2013 MoviePass CEO admits to tracking users \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/month-in-review-apple-security-in-february-2018\/\">Month in Review: Apple Security in February 2018 \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/columns-opinions\/the-back-page\/facebook-watches-us\/\">How Facebook Uses Web Trackers, Third Party Advertising Data, Loyalty Cards and More to Watch Us \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/columns-opinions\/particle-debris\/faceid-on-iphone-cool\/\">Face ID on the iPhone is Cool. What About When the Police Use it? \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/12\/with-4-months-to-switch-on-https-are-web-hosting-companies-ready\/\">With 4 months to switch on HTTPS, are web hosting companies ready? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2018\/03\/look-alike-domains-and-visual-confusion\/\">Look-Alike Domains and Visual Confusion \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/tidbits.com\/article\/17837\">Can U.S. States Hang on to Net Neutrality? \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Teritory\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/update-your-mac\/\">macOS: How to Update Your Mac in the Terminal \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/07\/patch-now-half-a-million-exim-mail-servers-need-an-urgent-update\/\">Patch now! Half a million Exim mail servers need an urgent update \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Whois data to be redacted to comply with GDPR, access might be restored to some vetted groups including journalists and security researchers by December 2018 \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/03\/who-is-afraid-of-more-spams-and-scams\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/03\/16\/the-chrome-extension-that-knows-its-you-by-the-way-you-type\/\">The Chrome extension that knows its you by the way you type \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/spotlight-secrets-15-ways-to-use-spotlight-on-your-mac\/\">Spotlight Secrets: 15 Ways to Use Spotlight on Your Mac \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/www.loopinsight.com\/2018\/03\/14\/gorgeous-8k-video-of-the-aurora-borealis-dancing-in-the-skies-during-a-lunar-eclipse\/\">Gorgeous 8K video of the Aurora Borealis dancing in the skies during a lunar eclipse \u2014 www.loopinsight.com\/\u2026<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Spectre\/Meltdown Update Microsoft have removed the special registry flag which prevented the Spectre\/Meltdown patches being applied on machines without AV that explicitly declares itself compatible with the patch. This approach made sense early in the response to these bugs, but it did have an undesirable side-effect, a machine with no AV would never get patched. [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[2131,70,50,569],"class_list":["post-14711","post","type-post","status-publish","format-standard","hentry","category-blog-posts","category-security-bits","tag-amd","tag-iphone","tag-security","tag-security-bits"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=14711"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14711\/revisions"}],"predecessor-version":[{"id":14712,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/14711\/revisions\/14712"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=14711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=14711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=14711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}