Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Intel Sued Over ‘Downfall’ CPU Vulnerability 

A class action lawsuit has been filed against Intel over its handling of CPU speculative execution vulnerabilities, with a focus on Downfall.

Intel CPU attack

A class action lawsuit has been filed against Intel over its handling of speculative execution vulnerabilities found in its CPUs, particularly the recently disclosed attack method named Downfall. 

A 112-page class action complaint was filed this week by plaintiffs represented by Bathaee Dunne. News of a Bathaee Dunne-led lawsuit against Intel over the Downfall vulnerability emerged in late August, when the law firm announced that it was preparing to file a complaint.

The plaintiffs say the Intel CPUs they have purchased are “defective” because they are either left vulnerable to cyberattacks or they have significantly slower performance due to the vulnerability fixes made available by the chip giant.

The complaint says Intel has known about speculative execution vulnerabilities in its processors since 2018, when cybersecurity researchers disclosed the existence of two attack methods named Meltdown and Spectre. 

These types of attacks typically allow an attacker who has access to the targeted system — and in some cases remotely — to bypass security protections and obtain sensitive information such as passwords and encryption keys from memory. However, conducting an attack is often not an easy task and there are no public reports about such flaws being exploited in the wild. 

Following the disclosure of Meltdown and Spectre, Intel has been informed about several other speculative execution vulnerabilities and the company has been taking steps to address them. 

However, customers are displeased with the fact that fixes for these issues introduce significant performance degradation and accuse Intel of selling CPUs that it knew were flawed over the course of several years. 

In the case of the Downfall attack, which a Google researcher disclosed in August after giving Intel more than a year to take action, has been described as highly practical, with a PoC exploit showing how it can be leveraged to steal OpenSSL encryption keys. 

Advertisement. Scroll to continue reading.

“When the Downfall vulnerability became public, Intel issued a microcode update, which supposedly mitigated the Downfall vulnerability. In reality, Intel’s ‘mitigation’ had handicapped the very systems, namely speculative execution and branch prediction, that are central to the function of every modern CPU, resulting in as much as a 50% performance degradation in affected CPUs,” the complaint reads.

The complaint shows exactly how much the value of an impacted Intel CPU has decreased due to the performance degradation.

The plaintiffs “seek monetary relief against Intel measured as the greater of (a) actual damages in an amount to be determined at trial or (b) statutory damages in the amount of $10,000 for each plaintiff.”

SecurityWeek has reached out to Intel for comment and will update this article if the company responds.

Related: Companies Respond to ‘Downfall’ Intel CPU Vulnerability 

Related: Software Vendors Start Patching Retbleed CPU Vulnerabilities

Related: Intel Introduces Protection Against Physical Fault Injection Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer.

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights