AMD and researchers spar over shocking attack's real-world dangers
Hypothetical threat, or concrete danger?
What you need to know
- Researchers have exposed a vulnerability with AMD SEV (Secure Encrypted Virtualization).
- In response, AMD has cast doubt on the real-world implications of the discovery, citing physical logistical hurdles for threat actors.
- The researchers have responded, disputing the existence of said hurdles.
In one of the more tech-savvy, inside-baseball bits of news to crop up recently, AMD and a group of researchers have begun something of a sparring match, going back and forth over whether AMD SEV (Secure Encrypted Virtualization) has just had a dangerous vulnerability exposed or if nothing more than inconsequential hypotheticals have been presented.
Here's the idea behind SEV (based on how AMD is positioning it): It's meant to safeguard virtual machine data in the cloud so that admins can't go wild and cause chaos. However, in a research paper entitled "One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization," researchers shine a spotlight on where SEV can be compromised (via The Register).
"By manipulating the input voltage to AMD systems on a chip (SoCs), we induce an error in the read-only memory (ROM) bootloader of the AMD-SP, allowing us to gain full control over this root-of-trust," the paper says. "This type of attack is commonly referred to as voltage fault injection attacks."
AMD replied that this is not a remote attack scenario, casting doubt over the real-world utility of the attack. However, the researchers came back with a statement. When speaking to TechRadar Pro, Robert Buhren, one of the paper's authors, pointed out that "no physical tampering with machines in the data center is required" and that the threat posed by a voltage fault injection attack is very much real.
Furthermore, Buhren highlighted that the vulnerability being unrelated to firmware means that firmware updates can't stop it, making it even more dangerous. AMD has yet to publicly reply to the updated researcher response.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to email@example.com.
"He explains that their most recent glitching attack makes it possible to extract details from all three generations of Zen CPUs, in essence enabling the PoC [proof of concept] to work on all AMD processors that support SEV." Perhaps AMD will have a response to this new line of reasoning as well, but I've not seen one from them yet.