A proposed class action lawsuit alleges Intel Corporation has for years “knowingly” sold billions of central processing units (CPUs) plagued with a design defect that leaves the chips “egregiously” vulnerable to cyberattacks—and its only “fix” can slow computer performance by as much as 50 percent.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The 112-page lawsuit, filed in the Northern District of California on November 8, says the design flaws present in Intel’s 6th through 11th generation of CPUs—which drive “billions of computers throughout the world”—can be easily exploited to steal sensitive data stored in a computer system’s memory, such as passwords or encryption keys.
After word got out in 2018 that Intel’s CPUs suffered from vulnerabilities—named Spectre and Meltdown by the third parties that discovered them—the company rolled out software mitigations that ultimately failed to address the root of these security problems and caused severe performance issues, the filing says.
According to the complaint, Intel assured consumers later that year that it would incorporate a hardware fix into the updated 8th and then-forthcoming 9th generations of CPUs to mitigate the problem. However, the company, also in 2018, was publicly warned by two separate researchers that its supposedly “fully-fixed,” faster-performing CPUs used advanced vector extension (AVX) instructions that were vulnerable to the same type of attack as Spectre and Meltdown, the case says.
Despite these promises and known risks, “Intel did nothing,” the lawsuit claims.
“It did not fix its then-current chips, and over three successive generations, Intel did not redesign its chips to ensure that AVX instructions would operate securely when the CPU speculatively executed them,” the complaint summarizes.
Rather, Intel continued to sell CPUs with the same “fundamentally flawed” hardware to unsuspecting consumers, the suit alleges. When a “gaping” vulnerability in the AVX instructions, known as “Downfall,” became public in 2023, Intel responded by issuing a microcode update that it said would address the issue, the filing relays.
But, as the case tells it, Intel’s latest mitigation efforts have “destroyed” CPU performance for several critical computing tasks, such as photo and video editing, gaming and encryption.
To date, Intel has yet to develop a fix to address the root design defect present in its 6th through 11th generation CPUs, issue a recall of the affected chips or offer replacements, the complaint says. In fact, the filing shares, the company continues to market the chips, or computers into which one of the chips is installed, as having sufficient processing speeds while actively concealing from consumers security issues associated with the CPU defect.
The complaint stresses that Intel’s allegedly “fraudulent” omissions and representations have essentially tricked consumers into buying or significantly overpaying for CPUs that render their devices susceptible to cyberattacks and perform at speeds supposedly in line with processors of the early 2000s.
The suspected defect
The suit claims that the alleged design defect in Intel’s CPUs can be traced back to issues with three of their core functions: branch prediction, out-of-order execution and speculative execution.
First incorporated into CPUs in the 1990s, branch prediction is a design technique now used in all modern chips that prevents stalling and allows for “swift, stable operation” as a CPU waits for information from relatively slow system memory, the case explains. Per the complaint, branch prediction works when the CPU predicts what a program will likely do when the chip encounters a conditional instruction, an instruction dependent on a value stored in memory.
“This technique permitted substantial increases in computing power and efficiency, and gave rise to further ‘speculative execution’ techniques, including subsystems that allow CPUs to execute instructions out of order and even to predict the outcome of future instructions,” the filing says.
The suit explains that should a CPU guess wrong about a series of instructions—called transient instructions—it should completely discard the speculative code.
It’s important that the branch prediction, speculative execution and out-of-order execution systems do not allow “side effects” of these sometimes “erroneous, insecure, or malicious” transient codes to remain in spaces of the CPU that are accessible to the running computer program, the case says. Otherwise, the filing explains, serious security problems can arise.
Therein lies the problem with the CPUs at issue, the lawsuit contends.
“Intel’s design does not ensure that transient code is prevented from making lingering changes to shared CPU resources, which make its CPUs vulnerable to an entire class of attacks, called transient execution attacks,” the complaint summarizes.
These hardware design flaws ultimately resulted in dangerous security vulnerabilities known as Spectre and Meltdown, which TechRepublic reported in May 2019 could allow cybercriminals to access confidential information by “bypass[ing] system security protections present in nearly every recent device with a CPU—not just PCs, servers, and smartphones, but also Internet of Things (IoT) devices like routers and smart TVs,” the suit relays.
A cure that rivals the disease?
According to the lawsuit, Intel raced in 2017 and 2018 to develop software mitigations for Spectre and Meltdown—all of which led to substantial performance degradation. The case explains that the “fixes” worked to patch the security vulnerabilities by “disabling or handicapping” the CPU’s branch prediction, out-of-order execution and speculative execution systems—features designed to prevent stalling.
Although Intel announced in 2018 that its CPUs would have AVX capabilities designed to overcome Spectre and Meltdown vulnerabilities, hardware enthusiast Alexander J. Yee was one of the first to publicly warn the company that the AVX instructions were susceptible to the same transient execution attacks, the complaint relays.
“However, despite multiple (publicly-known) vulnerability disclosures made to Intel on the subject, Intel did not carefully analyzing [sic] possible side-effects in the AVX ISA and engineering hardware solutions to fix them in 2018,” the case says. “Or in 2019, or 2020, or 2021, or 2022.”
The complaint claims that “the inevitable eventually occurred” in August 2023 when Intel announced Downfall, another “catastrophic” vulnerability stemming from its defective speculative execution hardware. Per the suit, the Downfall exploit had been discovered and reported to Intel back in August 2022 by Google engineer Daniel Moghimi, who later published his findings after the defendant reportedly gave him its permission.
Although these vulnerabilities require a hardware redesign addressing the underlying root cause, Intel has merely issued a microcode update that results in the same performance issues as the Spectre and Meltdown “fixes,” the filing claims.
“An Intel CPU user with an affected processor now faces a no-win choice: keeping their Intel CPU in a broken and vulnerable state or mitigating its vulnerability with a massive performance degradation,” the complaint reads.
Who does the case look to cover?
The lawsuit looks to represent any person, business association, entity or corporation in the United States that, since June 16, 2018, purchased for their computers Intel CPUs from the 6th through 11th generation Core or Xeon families and that utilized the following affected architectures:
Haswell Server EP or EX;
Broadwell Server E Broadwell Server EX;
Skylake D, W or X;
Cascade Lake Server;
Cascade Lake W or X;
Broadwell DE V2, DE Y0 or DE A1
Ice Lake Xeon-SP or D,
Ice Lake U or Y;
Tiger Lake U, U Refresh, H35 or H;
Amber Lake Y;
Kaby Lake U, U23e, Y, S, H, G, X, Xeon E3 or Refresh U;
Whiskey Lake U;
Comet Lake-S or U42;
Coffee Lake U23e, S, Xeon E, S Xeon E, S x/KBP or H;
Alder Lake-N, U, H, P or S;
Elkhart Lake; and
How do I join the lawsuit?
When a proposed class action is first filed, there’s usually nothing a consumer needs to do to be included in the lawsuit. If the case moves through the legal process and ultimately settles, those who have been affected, i.e., the “class members,” should receive a direct notice of the settlement, which will include details about their legal rights and what comes next.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.