Intel “Downfall” CPU Vulnerability Leads To Class-Action Lawsuit By Consumers

Intel has been pulled into a lawsuit by consumers, claiming that the chipmaker was aware of the Downfall vulnerabilities & still sold chips in the market.

Before we go into the lawsuit, let's recap on what Downfall is. As covered previously, the vulnerability specifically affects workloads utilizing the AVX2/AVX-512 gather instructions. Intel disclosed that "Downfall" had a greater impact on older-gen Tiger Lake/ Ice Lake lineups. In easy words, the vulnerability reveals hardware registry contents, potentially leading to large-scale data thefts. Since vulnerability in the industry is something quite common, it isn't seen as the company's fault, and oftentimes, mitigation is applied quickly.

However, the lawsuit filed by five Intel CPU buyers, as reported by The Register, claims that Team Blue was aware of the AVX side-channel vulnerability since 2018. Moreover, the company didn't tend to fix the loop in the architecture until Downfall was discovered, which not only put the security of millions of users at risk, but the aftermath of the vulnerability led to a 50 percent decline in performance. Here is how the report by The Register sums up how Downfall's existence actually started five years ago:

The complaint says that in the summer of 2018, when Intel was dealing with Spectre and Meltdown, the manufacturer received two separate vulnerability reports from third-party researchers that warned that the microprocessor titan's Advanced Vector Extensions (AVX) instruction set – which allows Intel CPU cores to perform operations on multiple pieces of data simultaneously, improving performance – was vulnerable to the same class of side-channel attack as those other two serious flaws.

The argument posed by the filers discloses that Intel was well aware of the "loophole" for a long time and that the company made no effort to fix it, despite knowing its potential existence five years ago. Moreover, it is said that Intel had implemented "secret buffers" related to those instructions, which are basically meant to suppress the threats of the vulnerability for a temporary period. Instead of fixing the problem, this actually bolstered its occurrence, which led to attacks such as data thefts.

These secret buffers, coupled with side effects left in CPU cache, opened what was tantamount to a backdoor in Intel’s CPUs, allowing an attacker to use AVX instructions to easily obtain sensitive information from memory —including encryption keys used for Advanced Encryption Standard ('AES') encryption — by exploiting the very design flaw that Intel had supposedly fixed after Spectre and Meltdown.

Intel hasn't responded to the claims yet, but these are some serious allegations against the company since it shows that Team Blue is apparently "unbothered" by potential backdoors and loopholes within their architecture, which puts both consumers and businesses at risk. However, we shouldn't come to conclusions just yet, because as they say "guilty until proven innocent".

News Source: The Register