Intel Sued Over 'Downfall' Bug, Plaintiffs Seek $10K Each
A class action lawsuit accuses Intel of deliberately selling billions of flawed chips over several years. The result could potentially establish the line between inadequate vulnerability rectification and absolute negligence.
This week, a class-action lawsuit was filed against Intel concerning the company's response to data-leaking vulnerabilities in its CPUs. The lawsuit, filed in the San Jose Division of the United States District Court's Northern District of California, involves five plaintiffs who claim that Intel was aware of the defects causing these vulnerabilities for several years before issuing a fix.
At the heart of the case is the "Downfall" bug (CVE-2022-40982), an information disclosure vulnerability rated 6.5 on the CVSS scale, found in Intel's sixth to eleventh-generation CPUs. This bug was publicly highlighted at Black Hat in August by a Google researcher, who showed how attackers could exploit a vulnerable instruction used for speculative execution in Intel's processors to access privileged information in a shared computing environment.
The lawsuit alleges that Intel was aware of similar vulnerabilities as far back as 2018 but did not adequately address them, opting instead to prioritize profits over fixing the defects. The plaintiffs argue that the patch released by Intel in response to the Downfall bug significantly slows down processing speeds, leaving users with either vulnerable or underperforming CPUs.
John Gallagher, vice president of Viakoo Labs at Viakoo, comments that while expecting a flaw-free product is unrealistic, there should be accountability for vendors who fail to apply timely patches, leading to data theft.
The legal challenge brings into question the threshold at which poor handling of vulnerabilities becomes negligence. The case also revisits the broader issue of legal liability for hardware flaws in the tech industry, which remains a grey area since the Intel 'floating point error' incident nearly 30 years ago.
This lawsuit could have significant implications for how tech companies are held accountable for security flaws in their products. However, proving legal liability in cases involving complex side-channel attacks with limited impact on the average computer user may prove challenging. Bathaee Dunne LLP, representing the plaintiffs, has declined to comment, and Intel has not yet responded to requests for comment regarding the lawsuit.