AMD's Random Microcode & DeepSeek impersonators
#173 - Generating random numbers on AMD processors gives you 4 | Packages pretending to be DeepSeek on PyPi steal your information
Hacking AMD’s ‘microcode’ to affect how the chip generates random numbers
What’s Microcode and why random number vulnerabilities affect the core of computer operations
What’s the news?
This piece of news on the register intrigued me. It’s about how you can get a particular series of AMD chips to always generate 4 as a random number. The Google research team found a bug in AMD’s microcode that can be exploited provided you have the access.
Why is it important?
Cryptography relies on being able to generate random numbers. Computer programs cannot generate random numbers, but computer hardware can manage it and cryptographic functions rely on them. If you can break the algorithm used to generate random numbers in computer hardware, you can break the underlying cryptography.
Yes, you read it right. Computer programs cannot generate random numbers.
What about this then?
import random
def roll_dice():
return random.randint(1, 6)
def main():
while True:
input("Press Enter to roll the dice (or type 'q' to quit): ")
if input().lower() == 'q':
print("Exiting the game. Goodbye!")
break
print(f"You rolled a {roll_dice()}!")
if __name__ == "__main__":
main()When you use the random() function in Python, you are using something called a PRNG (Pseudo Random Number Generator). This is a number that appears to be random, but is based on deterministic parameters.
There are some algorithms that can generate true random numbers. These are called, hold your breath, TRNG (True Random Number Generators). These rely on other physical sources of randomness like the noise in electrical circuits.
Strong cryptographic implementations avoid using PRNG. They rely on the chip generating true random numbers using parameters like thermal noise, etc. The implementation of this lies in something called as ‘microcode’ within the CPU architecture.
What is microcode?
Microcode is a set of instructions written in the CPU to help it execute instructions. It is here that the functions to generate random numbers is also implemented.
The first time I head of microcode, I just assumed it would be the firmware of the machine. That’s not the case. The firmware is programmed into the ROM and microcode is directly on the CPU. Here is a set of differences as per our trusty AI sources:
The code that generates 4 as a ‘random’ number has been released by Google on Github here.
Take Action
The vulnerability in AMD has been identified and is a 7.2 CVE score. It requires superuser privileges on the processor, but the article mentions a use case where a VM host machine has this vulnerability. Can the cryptographic implementation of cryptography on the guest OS be vulnerable?
AMD has released a patch for the same for data centre level machines. If you use the affected CPUs, you can apply the patch. If you are using a personal computer with the affected AMD chip, well, good luck — don’t go implementing complex cryptographic algorithms that will change the world using them.
Look ma, I’m DeepSeek…
Python projects pretending to be DeepSeek on PyPi want to steal your information
DeepSeek is, to put it mildly, popular.
We haven’t yet gotten out of the debate whether DeepSeek is Chinese malware.
And we are already facing a new threat — DeepSeek impersonators. There are packages on PyPi, the Python package index, that pretend to be DeepSeek, but are actually infostealer malware. Read this and this for more details.
“The malicious packages, deepseeek 0.0.8 and deepseekai 0.0.8 were uploaded to PyPI on January 29, 2025, with only twenty minutes between them.”
Take Action
If you are a developer and have been facing the pressure to save money by using DeepSeek, be careful. Some of these functions are programmed to read the environment variables and send the data to a CNC server. Use only the authentic package to write your code.