Security firm says it has found AMD chip flaws

An Israeli cyber security research firm with six employees says it has found security flaws in AMD microprocessors.

(Earlier this year, researchers revealed major security flaws in Intel processors.)

AMD said it was investigating the claims, which were followed by heavy trade in AMD shares. The stock closed up 1 percent to US$11.64 after a day of volatile trade. AMD traded between $11.10 and $12.04 following release of the report from Tel Aviv-based CTS Labs.

CTS executives said that they had shared their findings with some clients who pay the firm for proprietary research on vulnerabilities in computer hardware. They declined to identify their clients or say when they had provided them with data on the vulnerability.

"I can’t really talk about my clients," said Yaron Luk-Zilberman, chief financial officer at the firm that was founded in January 2017.

Short-seller Viceroy Research published a 25-page report on the vulnerabilities on Tuesday, betting its shares will fall.

AMD said that the report took it by surprise.

"This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings," AMD said in a note to customers on its website.

Viceroy founder Fraser Perring said that somebody anonymously emailed him a draft of the report at about 4 p.m. on Monday. The firm spent much of the evening analyzing the situation and ended up taking a "sizeable" short position in AMD, he said.

There has been increased investor interest in AMD since the beginning of the month, with options drawing large trades that appeared to be betting on increased near-term gyrations in the shares. Puts, options contracts that protect against a drop in the share price, were particularly active.

Last week, the cumulative number of open put contracts outnumbered open calls 1.5-to-1, the most defensive this measure has been in more than two years, according to options analytics firm Trade Alert data. That measure declined slightly by Tuesday.

On Friday and Monday, short selling of AMD's stock increased by about 15 million shares, according to S3 Partners, a financial analytics firm. That brought overall short interest in the chipmaker to about 180 million shares, the most since at least 2010.

"Over the last several days there was a spike in short selling that was completely out of the norm," said Ihor Dusaniwsky, S3 Partners’ head of research.

New York-based cyber security firm Trail of Bits told Reuters that it had verified the findings from CTS, which paid $16,000 for a review of the AMD vulnerabilities.

A Trail of Bits analyst spent a week reviewing detailed technical reports from CTS, along with proof of concept code that could be used to launch attacks on computers running vulnerable AMD chips, said Trail of Bits Chief Executive Dan Guido.

"These are real security issues in AMD code and processors" that hackers could exploit to manipulate or steal secure data, he said.

For the attacks to work, an attacker must first obtain administrator access to a targeted network, Guido said.

(Reporting by Jim Finkle in Toronto, Arjun Panchadar; Additional reporting by Noel Randewich in New York, Saqib Ahmed in New York and Shariq Khan in Bengalure; Editing by Susan Thomas and Grant McCool)