A proposed class action alleges certain HP computers equipped with AMD Ryzen and AMD Athlon processors with firmware trusted platform modules (fTPMs) are defective in that they can develop stuttering during audio and video playback and are particularly susceptible to cyberattacks.
According to the 87-page complaint out of California, the fTPMs in the computers, implemented as a response to beefed-up Windows 11 firmware security requirements, cause “invasive stuttering” during videoconferencing and gameplay.
More seriously, the fTPM defect also leaves the HP devices more vulnerable to catastrophic firmware attacks, even though a TPM is, by nature, supposed to defend against such attacks, the suit says.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The lawsuit alleges that HP, rather than implement a new piece of hardware to make sure its devices were compatible with Microsoft’s security checks for Windows 11, allowed AMD to develop a piece of code that would announce itself to the operating system as a trusted platform module. Ultimately, HP’s cost-minded solution has made the threat of firmware attacks worse, the suit contends.
The filing charges that the AMD fTPM design defect and the issues it causes have significantly and perhaps totally impaired the value of consumers’ HP laptops and desktops, which the case argues are “unfit for their intended use” and “uniquely vulnerable to firmware attacks.”
“Despite this—and despite growing complaints about the performance of the AMD-based HP computers in HP forums and across the Internet—HP has done nothing to fix or replace its defective computers,” the complaint relays.
This is not what Microsoft asked for, lawsuit says
In June 2021, Microsoft, in response to a stark uptick in firmware attacks, decided to require as a precondition to running its Windows 11 operating system a specific piece of hardware designed to “separate sensitive cryptographic and other security-related resources from the main CPU and system memory,” the filing relays. This part is known as a trusted platform module (TPM).
The case says that because a TPM is kept separate from a device’s CPU, it could protect vital security resources from being exposed in a firmware attack, including the kind whereby a hacker can compromise the computer before the operating system loads. With this setup, even if a system’s CPU, memory and operating system are attacked, “the secrets stored in the TPM would remain safe,” the complaint explains.
With this requirement from Microsoft came a new, significant and “potentially burdensome” redesign on HP’s part to ensure that its PCs were compatible with the newest version of Windows, the case says.
Unfortunately, in response to the task, HP turned to AMD to develop and implement a “defeat device” to game Windows 11’s security checks and ensure it met Microsoft’s TPM requirement, the suit claims. This “defeat device”—most commonly a piece of equipment (typically found in the auto industry) that can sense when a machine is being tested and ensure it meets relevant testing benchmarks—was not a piece of hardware as Microsoft required but rather “a piece of code that announced itself to the system (and critically, to Windows 11) as a ‘TPM,’” the lawsuit states.
According to the suit, the fTPM was implemented as part of the platform security processor (PSP) subsystem, which is included within the AMD CPU package.
“The PSP had direct access to sensitive and privileged CPU and memory resources, and as such, so did the fTPM module AMD had incorporated within it,” the suit explains.
With this design, the lawsuit says, the co-processor that ran the subsystem would be additionally stressed as it would have to share resources and memory with the fTPM. Unfortunately for consumers, the suit alleges, the splitting of the subsystem’s “scarce resources” hampered a number of firmware-based systems that ran as part of the PSP – including the software that enables the decryption of streaming video and audio.
“Not only did AMD’s fTPM design ironically implement a security module designed to prevent firmware attacks in the firmware itself, it did so in a way that exposed sensitive system resources to the fTPM,” the case reads.
The fTPM within HP’s AMD devices not only failed to accomplish its sole purpose for being a TPM—that is, to reduce the “risk and effect” of firmware attacks—but has also compromised the PSP subsystem, the lawsuit claims. This means that a firmware attack could potentially compromise all of the security-sensitive resources of the system given HP conveniently grouped them into one software-based module, per the case.
According to the filing, the fTPM ultimately allowed HP to avoid the “major hassle” of shipping new hardware with its AMD-based computers to make them work with Windows 11 – at consumers’ expense.
Then there’s the video/audio stuttering
The case links the alleged HP stuttering issue to the company’s decision to implement the fTPM as part of the PSP, which could potentially delay the function of other systems needed for a user to, for instance, stream a video from Netflix, play a video game or join a work video call.
"The result was the catastrophic stuttering of playback on HP PCs with AMD Ryzen and Athlon processors. Reports flooded online forums and YouTube channels describing HP and other AMD-based PCs stuttering when playing back video, when playing audio, or both. The stuttering also affected video conferencing—a staple in the post-pandemic work-from-home environment. And, with respect to gamers, whom HP directly targets for PC sales, the defective HP PCs would stutter when playing video games. In YouTube video after YouTube video, users showed the stuttering effect in various popular computer games being run (or attempting to run) on HP and other AMD-based computers. Despite HP’s promises that its AMD-based PCs were suitable for ordinary uses, such as watching video, listening to music, video conferencing, and playing games, its AMD PCs stuttered during each of these baseline applications.”
Rather than acknowledge the problem, HP has instead continued to specifically market its AMD desktop and laptop computers as particularly suited for watching videos, videoconferencing, and gaming, and as fortified by “enterprise-level” security, the case states.
Indeed, HP has allegedly done nothing in response to a swell of consumer complaints about the stuttering problem or exposure to firmware-based cyberattacks.
Who’s covered by the HP lawsuit?
The suit looks to represent all individuals, business associations, entities or corporations that purchased HP notebooks or desktops with AMD Ryzen or AMD Athlon processors with fTPM modules from January 1, 2019 to the present.
My HP computer stutters. How do I get involved in the case?
There’s typically nothing you need to do to join a class action case when it’s initially filed. If the lawsuit proceeds and eventually settles, that’s when the people covered by the suit, called “class members,” would need to act, usually by filing a claim online or by mail.
If you own an HP laptop or desktop with an AMD Ryzen or AMD Athlon processor, or just want to stay in the loop on class action lawsuit and settlement news, sign up for ClassAction.org’s free weekly newsletter.