Back in March of 2018 CTS-Labs disclosed a vulnerability that they found inside of AMD’s chipset line up. Now this is a normal thing that companies do in order to make sure that we are safe they try and break into electronics to find their vulnerabilities so that they can be updated. But what was odd about this disclosure was that they only gave AMD 24 hours of notice before they made the vulnerability public. To put this into perspective when Google release their security disclosure for Spectre and Meltdown they notified Intel 6 months before releasing it to the public. Now CTS-Labs reports “It doesn’t have any investment (long or short) in Intel or AMD.”, but it seemed a little fishy to me so I did some digging. While one site reports that they have a legal disclaimer stating “you are advised that we may have , either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.” Which to most people just sounds like a red flag but I can give them the benefit of the doubt on that one Lawyers need to make sure to cover all bases whether it is currently happening or not.
Next I wanted to look into the actual company. The company of CTS-Labs was created in 2017 and is based in Israel. They are a security company that focuses on hardware security so their report could be that they needed to get their name out to garner business and that is why the report was rushed but it could also be that Intel would have received the briefing about Spectre and Meltdown security flaws just around the time that CTS-Labs was created and Intel would have seen on the report that AMD was not affected by either of these issues. They would have know that when this gets out that is going to cause their stock to drop and AMD’s stock to jump up. So the logical thing to do is to find a security flaw in AMD’s chipset, but if they reported it that would look childish but if someone else reports it than it is fine. Supporting new business is something that many companies do and so they found a new business that couldn’t be traced to them offered them support and asked them to focus their efforts on finding security flaws in AMD’s chips hoping that they will find one by the time the public finds out about the security issues within their own chips.
Now all of this of course is conjecture as CTS-Labs has absolutely refused to give up any information about its funding for their investigation into the security flaws but this event has definitely created tension between security groups and manufacturers.