Five chip buyers are accusing Intel of failing to address security flaws in its CPUs that it has known about for five years, making the computers either open to the Downfall vulnerability disclosed in August or low-performing after applying a patch.

The five filed a class-action lawsuit last week against the giant chipmaker, also accusing Intel of touting the security of its chips despite knowing that they included the same design flaw that made earlier CPUs vulnerable to the high-profile Spectre and Meltdown bugs in 2018.

“For years, Intel knowingly sold billions of CPUs with this massive vulnerability, which imperiled the foundation of secure networking, secure communications, and secure data storage for Intel CPUs used in PCs, in cloud servers, and in embedded computers used across the country in functional MRIs [magnetic resonance imaging], power grids, and industrial control systems,” lawyers with the firm Bathaee Dunne wrote in the 112-page complaint, filed with the U.S. District Court in the Northern California District.

Each of the five individuals named as plaintiffs bought PCs or built their own computers with high-end Core processors that they assumed contained an architecture that was free of the flaws that enabled the Spectre and Meltdown vulnerabilities. They also used their systems for such jobs as gaming, video and photo editing, and streaming, and noted decreases in performance after installing regular updates since the Downfall disclosure, according to the complaint.

Going Back Five Years

Both Intel and AMD – as well as Apple and Arm – were hit in 2018 by reports of the Spectre and Meltdown attack vectors stemming from the “speculative execution” capabilities of the chips, a technique introduced to increase the performance of a processor by enabling the CPU to in certain situations to predict the code that needs to be executed next and automatically executing it before it comes in.

Google researchers showed how attackers could exploit the vulnerability, which put millions of computers and smartphones at risk, but there have been no public disclosures of attackers using this difficult exploitation.

At the same time in 2018 that Intel was dealing with the Spectre and Meltdown, it also was told by third-party researchers saying that its Advanced Vector Extensions (AVX) instructions were vulnerable to the same kind of attacks as Spectre and Meltdown.

The AVX instructions “perform critical CPU functionality associated with encryption, media, gaming, and the execution of memory-optimized computer programs,” the lawsuit says.

Criticizing Intel’s Response

“However, despite promising a hardware redesign to mitigate speculative execution vulnerabilities during the exact time period researchers disclosed the vulnerabilities in Intel’s AVX instructions, Intel did nothing.” The lawyers wrote. “It did not fix its then-current chips, and over three successive generations, Intel did not redesign its chips to ensure that AVX instructions would operate securely when the CPU speculatively executed them.”

In addition, Intel put in “secret buffers” and side effects left in the CPU cache essentially created a backdoor that could be used to allow an attacker to use AVX instructions to grab sensitive information from memory by exploiting the same design flaw that the chipmaker said it fixed in the wake of Spectre and Meltdown, they wrote.

In August, a Google researcher detailed the Downfall vulnerability – tracked as CVE-2022-40982 – about a year after alerting Intel. The chipmaker that same month issued firmware updates and an optional software sequence to mitigate the flaw.

The Downfall vulnerability affects most Core chips from the “Skylake” 6^th-gen processors through the “Tiger Lake” 11^th-gen products and highlights the challenges that come with securing hardware.

Updates Lead to Performance Issues

The lawsuit notes Intel’s microcode update, but said it “handicapped” the speculative execution and branch prediction capabilities that are foundational to how chips run, leading to a performance hit of as much as 50%.

Just after Intel’s release of the microcode fix, a researcher with Phoronix reported that applying the patch could reduce the performance of some chips by as much as 40%. Michael Larabel also noted that Intel itself said there could be a 50% reduction in “extreme cases.”

Whatever the performance drop, it was too much for the individuals bringing the lawsuit, according to the lawyers.

“Plaintiffs are left with defective CPUs that must be severely impaired in performance and functionality to ‘mitigate’ their vulnerability to Downfall,” the complaint states. “These are not the CPUs they purchased. … Intel’s affected CPUs – billions of them – are to this day defectively designed, and Intel has instituted no recall, implemented no repair program, and provided no plan to fix the underlying design defect.”

They’re seeking restitution and damages stemming from their buying and using the Cores chips vulnerable to Downfall and now underperforming because of the updates. They also want Intel to stop selling the chips at issue and to stop Intel from “continuing its campaign of false and misleading statements and omissions concerning its defective processors and its sale of defective processors and systems.”