The new year has gotten off to a decidedly turbulent start for Apple. After closing out 2017 under a mountain of class actions from consumers whose iPhones are supposedly running much slower than they should be, the Cupertino-based company is now the defendant in a new proposed class action lawsuit claiming, among other allegations, that it has failed to offer acceptable repairs for security vulnerabilities found in its devices’ processors, weaknesses dubbed by the tech community as “Meltdown” and “Spectre.”
The 17-page complaint charges that Apple has known about the design defect that gave way to Meltdown and Spectre—described as such due to the way in which hackers can exploit the weaknesses—since at least June 2017. Given that it released an operating system update in December 2017 to address the Meltdown vulnerability, the two lead plaintiffs argue, Apple should have taken measures to disclose the problems to consumers more promptly. According to the case, Apple, even after becoming aware of Meltdown and Spectre, continued to sell iPhones, iPads and Apple TVs without disclosing this issue to consumers or having an adequate repair plan to offer.
Back up. What’s this about?
Last week, British publication The Register revealed that essentially every Intel microprocessor made within the last 10 years (as well as other processor types, including AMD and ARM) come with a fundamental security flaw that “could be leveraged by malware and hackers to more easily exploit other security bugs.” As The Register succinctly explained in a follow-up piece, the microprocessors’ design flaw “allows sensitive data, such as passwords and crypto-keys, to be stolen.”
Here’s another breakdown, from Gizmodo:
“Essentially, modern Intel processors have a design flaw that could allow malicious programs to read protected areas of a device’s kernel memory (memory dedicated to the most essential core components of an operating system and their interactions with system hardware). This flaw could potentially expose protected information like passwords. Since the error is baked into the Intel x86-64 hardware, it requires an [operating system]-level overwrite to patch—on every major operating system, including Windows, Linux, and macOS.”
Of course, the situation is far more complex (and may be somewhat indecipherable to many consumers unfamiliar with ARM-based architecture, kernel memory leaking, and privileged memory access) than the above statement indicates.
(For those who may be wondering, yes, Intel itself has already been hit with a few proposed class action lawsuits over all this, notwithstanding reports that its CEO may soon be under investigation for the peculiar timing of some stock sales.)
What does the lawsuit say about Meltdown and Spectre?
Here’s what you need to know, according to the complaint:
“The Meltdown and Spectre techniques allow hackers to take advantage of a modern computer processor (or ‘CPU’) performance feature, called speculative execution. Speculative execution attempts to improve speed by executing multiple instructions at once (or even in a different order than when entering the CPU). To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction is wrong, speculative execution is rolled back in a way that is intended to be invisible to software.”
This is where kernels come in. The complaint explains a kernel is “the most vital software component of a computer,” acting as a go-between from programs to other components, including the processor and a computer’s memory. A kernel’s main duty, the case continues, is to prevent data in one program from being read by another.
Meltdown and Spectre are the names for methods by which bad actors can abuse speculative execution to access a computer system’s privileged memory from a less-privileged user process, i.e., through malware, on a device. Through Meltdown and Spectre, the case says, hackers can effectively access data that should be protected by the kernel. This information can include passwords, Social Security numbers, credit card and banking details, and photos. Notably, attacks run through malicious applications cannot be detected by antivirus software, the lawsuit says.
Where does Apple fit into this situation?
The lawsuit aims to take Apple to task for the allegedly “wholly inadequate” firmware and software patches it offered to protect against Meltdown and Spectre. The remedies Apple offered for the Meltdown technique are “expected to reduce processor speed by between five and 30 percent,” according to the complaint, which no doubt stings consumers a little more give the $900 billion company’s current legal predicament.
It’s important to note here that although the lawsuit claims there exists “no complete firmware or software patch to fully protect against the Spectre technique at this time,” with no indication as to whether such fixes will also slow down processors, MacRumors this morning reported Apple has released a macOS High Sierra supplemental update that addresses the Spectre flaw.
And Apple allegedly knew of Meltdown and Spectre for a while without saying anything?
That’s what the plaintiffs are claiming.
As Ars Technica thoroughly detailed, the “who knew what, and when?” aspect of this situation may be a focal point in the coming weeks. The lawsuit asserts Apple has known of Meltdown and Spectre since at least June 2017 after it was notified of the vulnerabilities by Google’s Project Zero.
What’s worse, the plaintiffs say, is that had Apple performed proper tests and security checks of its processors, it would have come across Meltdown and Spectre much earlier, given its access to proprietary information and that the supposedly defective processors are at “the center of its business.”
The complaint rounds out with the plaintiffs describing the pickle they and other consumers have been left in as a result of Apple’s ostensible lack of diligence.
“The position in which this leaves consumers is clear. They have iDevices using Apple Processors that are slower and more vulnerable to attacks by hackers than what consumers bargained for. They have iDevices incorporating Apple Processors that are not adequate for their ordinary purpose. [The plaintiffs] and other class members would not have purchased iDevices, or would not have paid as much for them, had they known the truth about the security vulnerabilities to the Apple Processors.
Who’s included in the proposed class for this lawsuit?
The litigation proposes to cover a class of consumers nationwide who bought or leased their iDevices—iPhones, iPads and Apple TVs—at any time between 2007 and the present. Also proposed are two sub-classes of New Hampshire and New York residents who purchased or leased covered Apple devices in those states.
The full complaint can be read below.