A group of five Intel CPU buyers has begun a class action suit against the iconic PC chip designer reveals a court document shared by The Register. The plaintiffs assert that Intel knowingly sold billions of CPUs after it already knew of the AVX side-channel vulnerability that would eventually precipitate Downfall. It is further claimed that Intel had knowledge of the AVX vulnerability since 2018 and that Intel’s patch to its architectural flaw meant CPUs were “slowed down beyond recognition.”
Back in August, we reported on behind-the-scenes legal manoeuvrings as a class action against Intel brewed. At that time we recalled that contemporary tests on Intel CPUs spanning the Skylake to Rocket Lake (6th to 11th Gen Core processor) architectures showed patching slowed some operations as much as 50%. Apps that leaned heavily on AVX2 and AVX-512 workloads to complete tasks were worst affected. However, if left unpatched, threat actors could exploit Downfall to extract sensitive information like encryption keys from systems using the 6th to 11th Gen Core CPUs via malware or local access.
The key complaint within the court document, which asks for a jury trial at the US District Court in San Jose, isn’t about the existence of the Downfall vulnerability, or the patch performance penalty, but of Intel basically sitting on its hands. The plaintiffs say that Intel knew of the “defect” behind Downfall since 2018.
Of course, 2018 was a very big year for computer security news. This was the year when Spectre and Meltdown were all over the headlines in the tech press. It was the first time we had seen exploits targeting the speculative execution process that is used by many modern CPUs to speed calculations. Due to the way this process was implemented, threat actors could snoop on data in memory from other processes.
With all the uproar about Spectre and Meltdown, some security researchers began to look at similar attack vectors. It is thought that, in June 2018, Alexander Yee was one of the first computer enthusiasts and tinkerers to write about a “new Spectre exploit variant for Intel processors involving AVX and AVX512 instructions.” Intel got Yee to keep any detailed report under his hat until August 2018. With early access to this data and thousands of engineers on its payroll, one might have expected Intel to do something about this AVX data-leaking possibility.
Actually, according to the class action filing, Yee wasn’t the only one to warn Intel of AVX vulnerabilities which would eventually precipitate Downfall. A key argument of the plaintiffs is that “In the summer of 2018, as Intel was dealing with the fallout of Spectre and Meltdown and promising a hardware fix in future CPU generations, Intel received two separate vulnerability reports from third parties flagging a particular set of instructions on Intel’s CPUs, called the Advanced Vector Extensions (AVX).” Importantly, Intel hasn’t denied seeing these reports, the court document says “Intel contemporaneously acknowledged both reports.”
Above we have mentioned the main thrust of the class action suit, with complaints about Intel knowingly selling billions of CPUs since 2018 with a “defect.” Secondly, the two unacceptable choices for the CPU buyers were to either leave the vulnerability open or to apply a patch that “destroys their CPUs’ performance.” And it is mainly due to these factors that the plaintiffs are asking for “damages and equitable relief,” from Intel.
Some interesting background to each of the five plaintiffs is also provided in the court document shared by The Register [PDF]. Basically, each talks about their research into buying or DIYing a fast modern PC, how the system performance was eventually impacted by Downfall mitigations, and how price / performance was thus heavily impacted.