Intel accused of hiding the 'Downfall' CPU bug, faces class action

Intel knew about Downfall but chose to ignore it, plaintiffs allege

Intel accused of hiding the ‘Downfall’ CPU bugs, faces class action

Image:
Intel accused of hiding the ‘Downfall’ CPU bugs, faces class action

Intel chose to sell vulnerable products despite identifying the Downfall bug in its processors in 2018, leaving owners with vulnerable Intel CPUs.

This has led to a class action suit being filed in a US Federal Court in San Jose, California, by five individuals, on their own behalf and representing the "Nationwide CPU Purchaser Class".

The suit states that the company was aware of the Downfall vulnerability in 2018. However, Intel opted to keep the flaws secret and avoided fixing the issues in its processors until its discovery by Google researcher Daniel Moghimi in 2022.

Moghimi went public with the issue in August 2023, after allowing Intel time to develop microcode updates to patch the flaw. However, the updates have the effect of slowing some processing operations.

The lawsuit claims the defective products are either "egregiously vulnerable" to attacks or must be slowed down to fix the Downfall bug.

Intel didn't fix Downfall for three more generations of its x86 chips, and customers have had to pay unfairly for the company's negligence, the plaintiffs argue.

The Downfall bug

Tracked as CVE-2022-40982, Downfall is a security flaw affecting the 6th through 11th generations of consumer chips and the 1st through 4th generations of Xeon Intel x86-64 CPUs.

Billions of Intel CPUs used in personal and cloud-based computers can be manipulated to reveal secret user data, researchers at Google revealed earlier this year.

The issue occurs with the "Gather" AVX CPU instruction, which can leak the content of the internal vector register file during speculative execution.

However, the microcore updates released by Intel to fix the flaw can slow CPU performance by almost 50% when conducting simple computing tasks.

To make matters worse, the lawsuit also claims that Intel has implemented a few "secret buffers" associated with AVX flawed instructions. Their existence was never disclosed publicly.

The secret buffers along with the Downfall vulnerability acted as a route into Intel's CPUs. This allowed an attacker to exploit the flawed design to obtain sensitive information stored in RAM, including passwords, encryption keys, banking details and more.

Despite being notified about the Downfall by two different reports in 2018, Intel focused on handling the Spectre and Meltdown flaws in its CPU architecture.

In 2018 Intel publicly claimed to have implemented hardware fixes for Meltdown and Spectre, but ignored warnings about its AVX instructions which allowed a similar side-channel attack, the plaintiffs allege.