Plaintiffs Seek Damages Over Security Vulnerabilities, Alleged Insider Trading
Intel now faces 32 lawsuits over flaws in its CPUs.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The flaws are a trio of security vulnerabilities known as Meltdown and Spectre (see Expect More Cybersecurity ‘Meltdowns’). Although attacks exploiting the flaws are not necessarily simple, they could be used to recover passwords, encryption keys and other data in memory.
The flaws, which are present in billions of devices made over the past 20 years, became public knowledge on Jan. 3. Intel says it first learned of the flaws in June 2017, thanks to a Google research team.
Intel isn’t the only chipmaker who’s built CPUs that are vulnerable to the flaws. Some CPUs built by Advanced Micro Devices have Spectre – but not Meltdown – flaws. And ARM says that that three of its cores – a CPU component – have some or all of the flaws.
All three CPU manufacturers have been hit with class action lawsuits over the flaws both in the U.S. and abroad, including Israel.
Last month, a lawsuit filed in U.S. District Court of Northern California accused AMD of deceiving shareholders by reporting on Jan. 3 that there was “near zero risk” that its chips were susceptible to the second variant of the flaws – “branch target injection” or Spectre – before reversing that assessment eight days later (see Spectre Reversal: AMD Confirms Chips Have Flaws).
Even Apple has been sued over its use of ARM chips in its devices.
AMD and ARM didn’t immediately respond to a request for comment about how many Spectre and Meltdown lawsuits they face. Intel didn’t immediately respond to a request for comment about where all of the lawsuits against it have been filed.
As of Thursday, Intel faced 30 customer class action lawsuits as well as two securities class action lawsuits, all of which touch on the hardware flaws, according to Intel’s 10-K annual report filed with the U.S. Securities and Exchange Commission on Friday.
“Could be worse. Could be 64,” quipped Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure.
Intel Plans ‘Vigorous’ Defense
Intel’s executives say they will vigorously defend the company against the lawsuits. “We dispute the claims … and intend to defend the lawsuits vigorously,” according to its filing. But the company warned investors: “We are unable to make a reasonable estimate of the potential loss or range of losses, if any, that might arise from these matters.”
Intel also defended its response to the flaws. “As is standard when findings like these are presented, we worked together with other companies in the industry to verify the research and develop and validate software and firmware updates for impacted technologies,” the company says in its annual report. “On January 3, 2018, information on the security vulnerabilities was publicly reported before software and firmware updates to address the vulnerabilities were made widely available.”
Lead Time: 6 Months
The flaws were publicly confirmed after outside researchers began noticing the flaws six days prior to when a coordinated announcement was scheduled to be made.
Many have questioned why Intel wasn’t better prepared, having had six months to ready mitigations. Last month, the outspoken creator of the Linux kernel, Linus Torvalds, took issue with Intel’s response (see Intel: Stop Installing Patches Due to Reboot Problems).
“As it is, the patches are complete and utter garbage,” Torvalds wrote to the Linux kernel mailing list. “They do literally insane things. They do things that do not make sense.”
Insider Trading Alleged
The 30 lawsuits “generally claim to have been harmed by Intel’s actions and/or omissions in connection with the security vulnerabilities and assert a variety of common law and statutory claims seeking monetary damages and equitable relief,” Intel says.
Meanwhile, the two securities lawsuits “allege that the defendants breached their duties to Intel in connection with the disclosure of the security vulnerabilities and the failure to take action in relation to alleged insider trading,” Intel says.
That may be a reference to an Intel filing in late November 2017 which reported that CEO Brian Krzanich sold a large chunk of his Intel stock for about $39 million, apparently netting about $25 million.
Since then, the chipmaker has stumbled by releasing firmware updates with mitigations that have caused stability problems, including frequent rebooting. The problems caused by Intel’s patches led Microsoft to help roll back the updates (see Microsoft Patch Nukes Bad Intel Firmware Fix).
Defenses Impact Performance
One unresolved problem with Meltdown and Spectre fixes – both for CPUs as well as mitigations built into operating systems – is that they appear to impact system performance, especially in data centers. PCs that are not running the latest CPUs and operating systems also appear to be especially impacted (see Performance Hit: Meltdown and Spectre Patches Slow Systems).
Researchers continue to study Meltdown and Spectre and are attempting to devise new defenses.
Chipmakers likewise say they continue to study the problems.
“We’ve been working around the clock with our customers and partners to address the security vulnerability know as Spectre and Meltdown,” Intel CEO Krzanich said on a Jan. 25 conference call discussing Intel’s fourth quarter 2017 earnings. “Our near-term focus is on delivering high quality mitigations to protect our customers infrastructure from these exploits.”
But eliminating the problems entirely will require changes to CPUs that are still being studied or perhaps not even yet discovered.
“We’re working to incorporate silicon-based changed to future products that will directly address the Spectre and Meltdown threats in hardware,” Krzanich said on the earnings call. “And those products will begin appearing later this year.”