A class action lawsuit has been filed against Intel over its handling of speculative execution vulnerabilities found in its CPUs, particularly the recently disclosed attack method named Downfall.
A 112-page class action complaint was filed this week by plaintiffs represented by Bathaee Dunne. News of a Bathaee Dunne-led lawsuit against Intel over the Downfall vulnerability emerged in late August, when the law firm announced that it was preparing to file a complaint.
The plaintiffs say the Intel CPUs they have purchased are “defective” because they are either left vulnerable to cyberattacks or they have significantly slower performance due to the vulnerability fixes made available by the chip giant.
The complaint says Intel has known about speculative execution vulnerabilities in its processors since 2018, when cybersecurity researchers disclosed the existence of two attack methods named Meltdown and Spectre.
These types of attacks typically allow an attacker who has access to the targeted system — and in some cases remotely — to bypass security protections and obtain sensitive information such as passwords and encryption keys from memory. However, conducting an attack is often not an easy task and there are no public reports about such flaws being exploited in the wild.
Following the disclosure of Meltdown and Spectre, Intel has been informed about several other speculative execution vulnerabilities and the company has been taking steps to address them.
However, customers are displeased with the fact that fixes for these issues introduce significant performance degradation and accuse Intel of selling CPUs that it knew were flawed over the course of several years.
In the case of the Downfall attack, which a Google researcher disclosed in August after giving Intel more than a year to take action, has been described as highly practical, with a PoC exploit showing how it can be leveraged to steal OpenSSL encryption keys.
“When the Downfall vulnerability became public, Intel issued a microcode update, which supposedly mitigated the Downfall vulnerability. In reality, Intel’s ‘mitigation’ had handicapped the very systems, namely speculative execution and branch prediction, that are central to the function of every modern CPU, resulting in as much as a 50% performance degradation in affected CPUs,” the complaint reads.
The complaint shows exactly how much the value of an impacted Intel CPU has decreased due to the performance degradation.
The plaintiffs “seek monetary relief against Intel measured as the greater of (a) actual damages in an amount to be determined at trial or (b) statutory damages in the amount of $10,000 for each plaintiff.”
SecurityWeek has reached out to Intel for comment and will update this article if the company responds.
Related: Companies Respond to ‘Downfall’ Intel CPU Vulnerability
Related: Software Vendors Start Patching Retbleed CPU Vulnerabilities
Related: Intel Introduces Protection Against Physical Fault Injection Attacks