AMD hit with two baseless class actions over Spectre/Meltdown

They don’t even logically parse at the moment

AMD Epyc logoAMD is being sued by not one but two technically ignorant firms over Spectre exploits. SemiAccurate is well past facepalm with the stupidity of this farce, we feel it is money grubbing at it’s basest level.

The two suits, that we know of, can be found here and here, but we won’t provide direct links to avoid crediting these cretins with any publicity. The suits allege some consumers were ‘harmed’ by AMD’s actions and statements, but at least one of the suits is factually inaccurate on it’s face. They are hype not founded by any factual harm, at least as far as SemiAccurate can see, and in our opinion are nothing more than legalized extortion attempts.

Side Channels:

Lets start out with the basics, there are three security ‘flaws’ that are collectively known as Spectre (Types 1 and 2) and Meltdown (Type 3). All three of them comprise a class of exploits known as side channel attacks which use things not associated with the main use of the product, be it CPU or razor blade, to do something unintended. A box cutter can be used to open a box as designed. The designers of box cutters likely never intended for those very useful and ubiquitous tools to hijack airplanes and crash them into skyscrapers. That said boxcutters were used to hijack planes and crash them into skyscrapers, but no one seems to be calling for the redesign of boxcutters.

AMD’s current CPUs, Zen core based products, are completely immune to Type 3 aka Meltdown. AMD did the right thing architecturally and it prevented an unknown type of attack. Intel did the wrong thing, one of it’s many severe institutional failings around security, and is vulnerable to Meltdown. That said there is absolutely nothing wrong with with either AMD or Intel CPUs as far as Spectre is concerned, Meltdown is more of an opinion matter but AMD is completely immune to it.

Lets give you another example, or three, of side channel attacks that like Spectre and Meltdown, read info that is supposed to be privileged and hidden. Remember Rambus’ Security Dynamics division? Remember how they can peel out RSA keys from just about any cell phone in seconds via RF radiation from transistors flipping or data being moved around? That is a side channel attack in action, you can read keys from a phone at a distance with a wire coil and an oscilloscope just like Spectre can read data from CPUs. You can do the same by measuring power draws of chips, they use different amounts of energy when computing a 1 or a 0, so sidechannel attacks can read keys through a power meter.

No one is suggesting that the RF radiation or energy use is a result of a flaw, it is how the CPU/SoC in the phone functions. Actually idiots are suggesting that it is a flaw, just like they are suggesting Spectre is a flaw, but they are wrong. In both cases the device in question did what it does correctly and without errors. Until the side channel attacks were invented, there was no way to read that data, and voilà one day there is.

Unknown:

In the case of Spectre and Meltdown, both side channels did not exist before Google’s Project Zero discovered them. It is new tech that just so happens to rip through software guards running on some CPUs. Those CPUs work exactly as described, sold, and promised, there are no errors. The software running on the CPUs can do things in a way that makes them Spectre vulnerable, and it can do things in a way that makes Spectre a moot point. Either way the CPU does the same thing, correctly, as described and sold.

Another analogy would be to sue a laptop maker because a user opened a document on a plane and the person next to them read it even though they were not allowed to. Did the laptop maker screw up by having a screen that could be read at an angle or did the operator screw up by opening a sensitive document in a public area? The two suits above are akin to suing a laptop maker for the software they did not control being used to display a document they had no knowledge of, opened in an environment by a total clod. Anyone with even a vague clue about tech or good intentions would laugh these suits out of court.

Documents:

How bad are these suits? Take a look at this from the application on the Vincent Wong page.

According to the complaint, throughout the Class Period defendants made false and/or misleading statements and/or failed to disclose that: (i) a fundamental security flaw in AMD’s processor chips renders them susceptible to hacking; and (ii) as a result, AMD’s public statements were materially false and misleading at all relevant times. On January 3, 2018, following reports that processor chips manufactured by AMD’s competitor, Intel Corporation, contained a major security flaw—known as the “Spectre” vulnerability—AMD advised investors that while its own chips were vulnerable to one variant of Spectre, there was “near zero risk” that AMD chips were vulnerable to the second Spectre variant. Then on January 11, 2018, AMD acknowledged that its chips were in fact susceptible to both variants of the Spectre security flaw.

Notice that it directly contradicts itself. It claims, correctly, that AMD said that there was “near zero risk” for Type 2 Spectre attacks on their CPUs. Then they go on to say that, “Then on January 11, 2018, AMD acknowledged that its chips were in fact susceptible to both variants of the Spectre security flaw.” as if it is something different from the last sentence. If you have even the most basic ability to parse words in a logical fashion, you would see these two sentences are saying the same thing, exactly the same thing. This is somehow supposed to be an indignity heaped on AMD investors, but how is beyond me.

So AMD said that it is vulnerable to Type 1 Spectre, and there are exploits in the wild for AMD and other CPU vendors’ architectures. Sure it is a software problem meaning that the overarching OSes and middleware do some ‘optimizations’ that allow it to happen, but it is possible on AMD hardware.

AMD also said there is “near zero risk” for Type 2/Spectre attacks working on it’s system. It seems that no one in the press bothered to talk to AMD about it and ask WHY they thought AMD said what it did, most just mocked the company. SemiAccurate did ask and the short story, to save you minutia about timing attacks, caches, prefetchers, virtual memory, and how wise it is to use least significant bits of an address vs more bits or the full address in certain obscure internal functions, we will just say AMD did things differently from most and the result is it is almost impossible to pull off a Type 2 Spectre attack on AMD hardware.

This is not just SemiAccurate’s opinion though. To date several antivirus and antimalware companies have reported hundreds of examples of malware that uses Spectre and Meltdown attacks in their nefarious workings. Of those, guess how many use Type 2 Spectre attacks that work on AMD hardware? (Note: You usually need a different set of code for the “same” attack on different hardware. AMD Type 1 attacks will not work on Intel or ARM hardware because of implementation differences, and the converse is true too. In short you need to tailor your malware for not just the Type 1/2/3 attack but also for the specific hardware it will run on.) Also guess how many times AMD has been able to make a Type 2 attack work on their hardware, even when people who know the low level details at the company try? Just for giggles, guess how many proof of concept, malware, or anything else out there can make a Type 2 attack work on AMD’s hardware?

Oh lets just cut the silliness and go to their statement which SemiAccurate asked the company for Monday afternoon. “We have yet to see a successful GPZ Variant 2/Spectre attack against a kernel, hypervisor, or user application on an AMD platforms. We remain vigilant in our work across our ecosystem on mitigations.” That means of the hundreds of attacks in the wild and proof of concepts, all of zero Type 2s are known to work on AMD as of this writing, and it isn’t for a lack of trying. “Near zero” seems to be zero in the real world, if anything AMD was overzealous in their characterization of the risks, SemiAccurate would have said zero. Since then we have learned the technical details and it just makes us more confident in those prognostications.

Like flying monkeys:

Lets get back to the lawyers. Both of them seem to take umbrage to the fact that AMD said the risk of a Type 2 attack was “near zero”. Then a bit over a week later said the same thing, just with different wording. They attribute this egregious act with AMD’s stock plummeting a massive $0.12 that day or a whopping .99%. Yes a near catastrophic 1% plunge was narrowly averted but they assert AMD stockholders were somehow severely damaged by AMD stating the same exact thing in two different ways. The horror.

This is the point that on Monday, January 10, AMD stock went up 1.32%. On the 11th it went up 0.17%, the 12th saw the a 0.83% drop according to Yahoo finance, and the 16th, the next trading day, saw a 1.73% plunge. The high for the year seems to have been $13.85 on January 31 and the low close was as this is being written on Monday, February 5, $11.57. Over the last two years we have a high of $14.75 on March 27, 2017 and a low of $1.83 on February 8, 2016.

As you can plainly see from the numbers above, AMD stating the same true risk in two different ways did… did… err… didn’t do sh*t to the stock. Worse yet for those miscreants at AMD, of the 23 trading days since the January 3 disclosure of Spectre and Meltdown, the stock has been up 13 days and down 10, inclusive of the overall market correction of the past two days. If that isn’t a clear cause and effect of AMD’s stating the same thing twice in slightly different ways, I don’t know what is. It is pretty obvious that AMD told the truth and told it again, time to sue!

Once again sillyness aside, AMD opened at $11.61 on January 3, 2018, the day these three attacks were outed. On February 1, 2018, the stock closed at $13.25 or to put it a different way, up by double digit percentages. Yes we purposefully omitted the last two days because of the overarching market implosion that some might say raises the spectre of a meltdown. Yes we had to. That said even with that in mind, AMD closed Monday at $11.57 or down $0.04 since the Google Project Zero disclosures. Can any sane person say this is harm? Can someone, and we mean this honestly, explain to us how AMD stating the same true fact in slightly different ways lead to this “harm”?

There is actually harm:

AMD’s stock today underperformed the market by a lot. Why? Possibly because of the launch of two lawsuits that SemiAccurate feels are both frivolous and borderline extortion. In contrast to this, AMD told the truth twice, albeit in slightly different ways, and the stock did, well, nothing. And for that they are being sued not once but twice. To put the cherry on this sundae of legal misery, to date there have been no successful Type 2 attacks on AMD hardware so “near zero” is actually zero for the moment. SemiAccurate thinks that moment will be a lot longer lived than either of these lawsuits.S|A

The following two tabs change content below.

Charlie Demerjian

Roving engine of chaos and snide remarks at SemiAccurate
Charlie Demerjian is the founder of Stone Arch Networking Services and SemiAccurate.com. SemiAccurate.com is a technology news site; addressing hardware design, software selection, customization, securing and maintenance, with over one million views per month. He is a technologist and analyst specializing in semiconductors, system and network architecture. As head writer of SemiAccurate.com, he regularly advises writers, analysts, and industry executives on technical matters and long lead industry trends. Charlie is also a council member with Gerson Lehman Group. FullyAccurate