As the computer industry scrambles to patch security vulnerabilities in their processor chips in the wake of revelations over ‘Meltdown’ and ‘Spectre’ security flaws, Intel Corp has this week been hit with a class action lawsuit in the US claiming that all Intel x86-64x core processors (CPUs) manufactured since at least 2008 suffer a security defect that renders them unfit for purpose, given that patching will “dramatically” reduce their performance.
Meltdown and Spectre take advantage of major security flaws in the microprocessors in the majority of the world’s computers, potentially allowing hackers to steal sensitive data such as passwords and log-in keys, including from mobile devices, personal computers and servers running in cloud computer networks.
The lawsuit, brought by San Diego lawyers Doyle APC and Tennesee lawyers Branstetter, Stranch & Jennings, is brought on behalf of “all persons who purchased a defective Intel CPU.”
The suit directly follows and quotes an article in US tech publication The Register on 2 January, claiming that a fundamental design flaw in Intel’s processor chips has forced a significant redesign of the Linux and Windows kernels to fix the chip-level security bug and that the updates will cause a performance slow-down of between 5-30%.
The Register said: “Programmers are scrambling to overhaul the open-source Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.
“Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we’re looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.”
The class action this week against Intel, which is headquartered in the US and the world’s second largest chip maker after Samsung, claims:
– Intel’s x86-64x CPUs suffer from a security defect, which causes the CPUs to be exposed to troubling security vulnerabilities by allowing potential access to extremely secure kernel data. The only way to “patch” this vulnerability requires extensive changes to the root levels of the Operating System which will dramatically reduce performance of the CPU.
– The Defect renders the Intel x86-64x CPUs unfit for their intended use and purpose.
– The only “fix” would be to exchange the defective x86-64x processor with a device containing a processor not subject to this security vulnerability.
– CPU owners are left with the choice of either purchasing a new processor or computer containing a CPU that does not contain the Defect, or continuing to use a computer with security vulnerabilities or one with significant performance degradation.
– The CPUs were not fit for purpose.
Much of the claim centres on Intel processors’ “speculative execution”, whereby the processor attempts to guess what operation is going to run next so that the code can be standing by, ready to execute. “Intel’s “speculative execute” code may “fetch” secure codes without first performing a security check which would block such a request. So an innocuous program such as Javascript might be exploited to gain access to extremely secure kernel data,” the claim alleges.
It adds that any ‘fix’ will not only impact the performance of CPUs but have an indirect impact, with countless servers that run internet-connected services in the cloud – including cloud-based services from Microsoft, Google and Amazon – likely to see a degradation in performance.
In response to media coverage this week, Intel issued a statement on 3 January saying: “Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
The Wall Street Journal yesterday (4 January) reported that Intel among other tech companies wrestled with the problem for months and could have been notified as long ago as June 2017.
Speaking to Am Law’s The Recorder this week, Chris Cantrell of Doyle APC, one of the lawyers who filed suit Wednesday, said he expects many more suits to be filed on behalf of consumers and businesses against Intel in the coming days and weeks — especially since cloud computing services hosted by Amazon, Google and Microsoft are expected to be impacted by the security fixes.
“I fully expect there to be additional filings and that this will go the usual route of multidistrict litigation,” Cantrell told The Recorder. “Just the sheer number of devices that we’re talking about … Most of the desktop and laptop computers in use today.”