Plaintiffs Seek Replacement Program for 'Defective' Intel CPUs, Says Complaint
A defect in Intel central processing units (CPUs) can only be “fixed” by adopting a patch that slows CPU performance by as much as half, said a fraud complaint (docket 4:23-cv-05761) Wednesday in U.S. District Court for Northern California in Oakland.
The vulnerability, called Downfall, was caused by a flaw Intel has known about since 2018 “but never disclosed,” the complaint said. Plaintiffs “are left with defective CPUs that are either egregiously vulnerable to attacks or must be slowed down beyond recognition to ‘fix’ them,” said the complaint. Performance is halved during certain “ordinary computing tasks,” such as photo and video editing, gaming and encryption, it said.
Intel “defectively designed” a technique that’s supposed to allow for substantial increases in computing power and efficiency in “billions” of its CPUs, said the complaint. “Speculative execution” techniques include subsystems that allow CPUs to execute instructions “out of order” and to predict the outcome of future instructions, functionality that’s part of “every CPU that Intel and its competitors make,” said the complaint. Modern CPUs also use segmentation to separate system memory and hardware from user programs, it said.
When Intel’s CPUs speculatively execute instructions, “they are supposed to discard the results of an execution if the CPU guessed wrong,” the complaint said. Instead, “Intel’s CPUs leave ‘side effects’": Data “remains in temporary buffers or in the CPU’s cache memory even after the speculative execution’s results are discarded,” it said. That means Intel’s CPUs “allow speculatively executed code to see system resources and information that only an operating system or privileged computer program should be able to see, violating segmentation,” it said.
The design defect became public in January 2018 in “Meltdown” and “Spectre” -- cyberattacks that resulted in unprivileged code reading data it should not be able to – and Intel “scrambled to fix them,” promising firmware and hardware solutions in its upcoming 9th generation CPUs, the complaint said. As it was dealing with the fallout from that defect, Intel received vulnerability reports from third parties flagging instructions on its CPUs called the Advanced Vector Extensions; it did nothing to redesign the chips to ensure that AVX instructions “would operate securely when the CPU speculatively executed them,” it said.
“Worse yet,” the complaint said, Intel had implemented, but didn’t disclose, “secret buffers” with the instructions. The buffers, “coupled with side effects left in CPU cache, opened what was tantamount to a backdoor in Intel’s CPUs, allowing an attacker to use AVX instructions to easily obtain sensitive information from memory —including encryption keys used for Advanced Encryption Standard” encryption — by exploiting the design flaw that Intel “had supposedly fixed after Spectre and Meltdown.”
Intel told customers that it engineered a hardware fix for the design flaw that enabled Spectre and Meltdown in 9th generation-and-later CPUs and that all of its CPU vulnerabilities had been “mitigated,” the complaint said. When the Downfall vulnerability became public, Intel issued an update, but the “’mitigation… handicapped the very systems, namely speculative execution and branch prediction, that are central to the function of every modern CPU, resulting in as much as a 50% performance degradation in affected CPUs,” it said.
Plaintiffs Darques Smith, San Diego; Renee Waltrip, Kansas City, Kansas; Brian Cameron, Northbrook, Illinois; Elizabeth Cordova, Orange, California; and Michael Worley, Coon Rapids, Minnesota, “are left with defective CPUs that must be severely impaired in performance and functionality to ‘mitigate’ their vulnerability to Downfall: These are not the CPUs they purchased,” said the complaint.
The complaint asserts violation of several state fraud, deceptive business, unlawful trade practices and false advertising laws; negligence; breach of implied warranty; and unjust enrichment. Plaintiffs seek an injunction enjoining Intel from continuing “false and misleading statements and omissions regarding the CPUs; an injunction requiring it to implement a repair or replacement program; and a program to send affected CPUs to Intel for direct repair or replacement.
Damage to plaintiffs’ computers requires monetary compensation beyond what is available legally for injuries relating directly to the purchase of Intel’s CPUs and systems, said the complaint. To “adequately compensate Plaintiffs, some non-restitutionary disgorgement of profits is necessary” since compensation for the “diminution in value” of Intel’s CPUs “will not compensate Plaintiffs for harm to their computers,” it said.
Plaintiffs seek a recall or free replacement program; a buyback; a prohibition on falsely advertising the affected CPUs until the defect is corrected; recovery of the purchase price for their affected CPUs; damages to their computers; punitive damages; attorneys’ fees and costs; and pre- and post-judgment interest. Intel didn't comment Thursday.