A class-action complaint was filed against Intel this week over its handling of data-leaking bugs in its CPUs.
In a 112-page filing with the San Jose Division of the United States District Court’s Northern District of California, five representative plaintiffs are alleging that the chip giant knew about faulty instructions which enabled such issues as the recent “Downfall” bug, half a decade before it actually released any kind of fix.
Determining whether Intel’s negligence constitutes a legal offense may be complicated, though, and it could have broad-reaching ramifications for the technology industry.
“Never having a flaw is an unrealistic demand,” says John Gallagher, vice president of Viakoo Labs at Viakoo, but “if my data is stolen because a vendor did not apply a patch in a timely manner, I should be able to sue them because of negligence.”
How Intel Has Handled its Chip Woes
Downfall was the name given to CVE-2022-40982, a 6.5 medium-rated CVSS-rated information disclosure vulnerability in Intel’s sixth to eleventh-generation CPUs. As a Google researcher revealed at last August’s Black Hat, an attacker could take advantage of a vulnerable instruction the processors use for speculative execution in order to gain access to privileged information from other users in a shared computing environment.
Though it exists in untold millions, even billions, of computers worldwide (Intel enjoys a majority of the global x86 CPU market), “at an individual level this will not impact most people; it is a relatively complex exploit and is based on a user sharing a computer or cloud environment,” Gallagher notes.
While the Google researcher first brought Downfall into the limelight in August, the new lawsuit points back far further than that.
In 2018, a hardware enthusiast published findings demonstrating Downfall-style transient execution vulnerability in Intel CPUs. It was similar to other, more infamous chip bugs — Spectre and Meltdown — and yet another, similar case — NetSpectre — arose around the very same time.
“However, despite multiple (publicly-known) vulnerability disclosures made to Intel on the subject, Intel did not carefully analyze[sic] possible side-effects in the AVX ISA and engineering hardware solutions to fix them in 2018. Or in 2019, or 2020, or 2021, or 2022. Instead, Intel put profits first, selling defective CPUs for years after it clearly knew them to be defective,” the complaint states.
In concurrence with the Black Hat revelation this year, Intel released a patch for Downfall. But that patch, the complaint points out, reduces processing speeds to such a degree that “plaintiffs are left with defective CPUs that are either egregiously vulnerable to attacks or must be slowed down beyond recognition to ‘fix’ them.”
Should Intel Be Held Legally Liable?
The threshold at which poor vulnerability remediation becomes outright negligence is as yet not clearly defined by law.
“Next year will be 30 years since the Intel ‘floating point error’ hit the headlines and caused Intel to do a recall of its chips (potentially to avoid being found legally liable). Since then the legal liability is not much clearer, as there will always be corner cases and minor flaws which would not rise to the level of legal liability,” Gallagher reflects.
And whether or not Intel was in the wrong, a complex side-channel bug with limited consequences for most computer owners doesn’t make for the clearest-cut case to reverse this trend. “If this were a widely exploited flaw that could have reasonably been prevented, it might give rise to legal liability, but without that it is just another example of how even with the most rigorous testing and product design, flaws will happen,” he says.
“If every side-channel attack exploiting a chip-level architectural flaw was brought as a legal case,” he concludes, “the dockets would be overflowing.”
Bathaee Dunne LLP, representing the prosecution, declined to comment for this story. Dark Reading also reached out to Intel, which has not yet responded as of this publication.
[11/13/2023 Editor’s Note: The original headline was edited and this article updated to remove an incorrect dollar figure.]