Lawsuit Claims Intel Sold Billions of AVX-Enabled CPUs Knowing of Downfall Vulnerability

Intel Rocket Lake
(Image credit: Intel)

A group of five Intel CPU buyers has begun a class action suit against the iconic PC chip designer reveals a court document shared by The Register. The plaintiffs assert that Intel knowingly sold billions of CPUs after it already knew of the AVX side-channel vulnerability that would eventually precipitate Downfall. It is further claimed that Intel had knowledge of the AVX vulnerability since 2018 and that Intel’s patch to its architectural flaw meant CPUs were “slowed down beyond recognition.”

Back in August, we reported on behind-the-scenes legal manoeuvrings as a class action against Intel brewed. At that time we recalled that contemporary tests on Intel CPUs spanning the Skylake to Rocket Lake (6th to 11th Gen Core processor) architectures showed patching slowed some operations as much as 50%. Apps that leaned heavily on AVX2 and AVX-512 workloads to complete tasks were worst affected. However, if left unpatched, threat actors could exploit Downfall to extract sensitive information like encryption keys from systems using the 6th to 11th Gen Core CPUs via malware or local access.

Intel Downfall

(Image credit: Daniel Moghimi)

The key complaint within the court document, which asks for a jury trial at the US District Court in San Jose, isn’t about the existence of the Downfall vulnerability, or the patch performance penalty, but of Intel basically sitting on its hands. The plaintiffs say that Intel knew of the “defect” behind Downfall since 2018.

Of course, 2018 was a very big year for computer security news. This was the year when Spectre and Meltdown were all over the headlines in the tech press. It was the first time we had seen exploits targeting the speculative execution process that is used by many modern CPUs to speed calculations. Due to the way this process was implemented, threat actors could snoop on data in memory from other processes.

With all the uproar about Spectre and Meltdown, some security researchers began to look at similar attack vectors. It is thought that, in June 2018, Alexander Yee was one of the first computer enthusiasts and tinkerers to write about a “new Spectre exploit variant for Intel processors involving AVX and AVX512 instructions.” Intel got Yee to keep any detailed report under his hat until August 2018. With early access to this data and thousands of engineers on its payroll, one might have expected Intel to do something about this AVX data-leaking possibility.

Actually, according to the class action filing, Yee wasn’t the only one to warn Intel of AVX vulnerabilities which would eventually precipitate Downfall. A key argument of the plaintiffs is that “In the summer of 2018, as Intel was dealing with the fallout of Spectre and Meltdown and promising a hardware fix in future CPU generations, Intel received two separate vulnerability reports from third parties flagging a particular set of instructions on Intel’s CPUs, called the Advanced Vector Extensions (AVX).” Importantly, Intel hasn’t denied seeing these reports, the court document says “Intel contemporaneously acknowledged both reports.”

Above we have mentioned the main thrust of the class action suit, with complaints about Intel knowingly selling billions of CPUs since 2018 with a “defect.” Secondly, the two unacceptable choices for the CPU buyers were to either leave the vulnerability open or to apply a patch that “destroys their CPUs’ performance.” And it is mainly due to these factors that the plaintiffs are asking for “damages and equitable relief,” from Intel.

(Image credit: San Jose Court document)

Some interesting background to each of the five plaintiffs is also provided in the court document shared by The Register [PDF]. Basically, each talks about their research into buying or DIYing a fast modern PC, how the system performance was eventually impacted by Downfall mitigations, and how price / performance was thus heavily impacted.

Mark Tyson
Freelance News Writer

Mark Tyson is a Freelance News Writer at Tom's Hardware US. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • rluker5
    If these lawsuit filers really want to make money, AMD is currently selling CPUs with a known, published vulnerability that affects performance in far more workloads than Downfall ever could- SQUIP. It has a side channel vulnerability when SMT is used by those that don't control which threads their programs use.

    Probably every CPU they are selling that has SMT enabled.

    The individual risk of being exploited with SQUIP is low, but it also is with Downfall. And I bet most that have Skylake and Rocket Lake chips never even noticed when the mitigation was enacted, but most would notice if their SMT were turned off by an update.
    Reply
  • vanadiel007
    "Basically, each talks about their research into buying or DIYing a fast modern PC, how the system performance was eventually impacted by Downfall mitigations, and how price / performance was thus heavily impacted."

    I think system performance over time is impossible to measure, and Windows likely impacts it more than the mitigation. That and who cares about the performance of a 5 year old CPU. If this was in a server environment I could see why it would matter, but for a home user building their own machine: time to upgrade buddy.

    Probably be way cheaper to upgrade than the class action lawsuit...
    Reply
  • hotaru.hino
    What do the plaintiffs expect companies to do when they're made aware of a security vulnerability? Drop everything and fix it? And the claim that the patches "slowed down beyond recognition" is an argument that shouldn't pass muster unless they have the empirical evidence that they and the rest of their "class" are severely hampered.

    On the extreme end of things, maybe they should go after everyone who employs cryptography because it's all vulnerable to brute force attacks.
    Reply
  • TechieTwo
    Intel does whatever makes them the most money, period. They violate law and good judgment all the time in their lust for Mo Money as past lawsuits confirm. They have enough lawyers to pummel all including the DOJ. They may end up paying a trivial fine vs. the revenue generated but it won't change their operating mentality. Why would it when it's so profitable to violate law?
    Reply
  • magbarn
    Can't wait to collect my $5 Intel rebate to apply towards a future purchase while the pond scum lawyers reap $10's of millions in the settlement. Class action is trash,
    Reply
  • greenreaper
    vanadiel007 said:
    Probably be way cheaper to upgrade than the class action lawsuit...
    Plaintiffs in such lawsuits are generally compensated for their trouble, over and above the amount granted to the average member of the class (though nowhere near as much as the lawyers).
    Reply
  • vanadiel007
    greenreaper said:
    Plaintiffs in such lawsuits are generally compensated for their trouble, over and above the amount granted to the average member of the class (though nowhere near as much as the lawyers).

    That is assuming they can make their case.
    Reply