The City of Providence Sues Intel over Meltdown and Spectre for $5 Billion
While Class Action lawsuits against Apple over intentionally slowing older iPhones have sailed past 55 thus far, Intel made it public on Friday that they've been hit with 32 class actions over Meltdown and Spectre as of February 15, 2018. One of the Class Actions in that group was filed last Monday by the city of Providence who is demanding $5 billion.
At the bottom of Intel's Form 10-K filing made public on Friday, Intel notes specifically that "As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed. The customer class action plaintiffs, who purport to represent various classes of end users of our products, generally claim to have been harmed by Intel's actions and/or omissions in connection with the security vulnerabilities and assert a variety of common law and statutory claims seeking monetary damages and equitable relief. The securities class action plaintiffs, who purport to represent classes of acquirers of Intel stock between July 27, 2017 and January 4, 2018, generally allege that Intel and certain officers violated securities laws by making statements about Intel's products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities."
Elsewhere in their filing they state: "Security vulnerabilities may exist with respect to our processors and other products as well as the operating systems and workloads running on them. Mitigation techniques designed to address these security vulnerabilities, including software and firmware updates or other preventative measures, may not operate as intended or effectively resolve these vulnerabilities."
They later confessed that "A side-channel exploit is a type of security vulnerability that has recently received attention as a result of the variants referred to as "Spectre" and "Meltdown." Information on these variants was prematurely reported publicly before mitigation techniques to address all vulnerabilities were made widely available, and certain of the mitigation techniques did not operate as intended."
City of Providence: Causes for Action
Count 1: Violation of California's Unfair Competition Law
Count 2: Violation of the Song-Beverly Consumer Warranty Act
Count 3: Violation of Rhode Island's Unfair Competition Law
Count 4: Violation of the Magnuson-Moss Warranty Act
Count 5: Breach of Implied Warranty
Count 6: Breach of Express Warranty of Marketability
Count 7: Unjust Enrichment
Count 8: Negligence
The complaint filed by the City of Providence begins with a segment titled "Nature of the Case" wherein it states:
"This is a consumer protection action seeking injunctive relief and damages arising from Defendant Intel's sale of defective microprocessor chips to Plaintiff and Class Members for over twenty-three (23) years. Intel's microprocessor chips are defective because they possess significant security vulnerabilities that, if exploited, permit an adversary to access sensitive data stored elsewhere on the machine or in the "cloud." Defendant has been aware of these issues since at least June 2017, and thus far, is unable to offer consumers who purchased devices containing defective microprocessor chips that possess the significant security vulnerabilities described herein ("Affected Devices") an effective remedy.
Intel's primary business is the manufacture, sale, and supply of microprocessors for computer system manufacturers like Apple, Lenovo, HP, Dell, among others. Intel also manufactures motherboard chipsets, network interface controllers and integrated circuits, flash memory, graphics chips, embedded processors and other devices related to communications and computing. In 2016, Intel reported full-year revenue of $59.4 billion.
Intel's marketing scheme emphasizes its cutting-edge processor speed and security. Defendant repeatedly makes public representations that its machines meet certain performance metrics and possess security features embedded in the hardware, which provided "robust, vulnerability-resistant platforms." For example, on July 11, 2017, Intel unveiled its "powerful" new Xeon Scalable processor, which broke "58 world [performance] records and counting," and was designed to offer businesses "security without compromise" while providing support to "an expanding range of existing and emerging data center, and network workloads, including cloud computing, high-performance computing and artificial intelligence." Similarly on January 19, 2016, Intel unveiled its then new 6th Gen Intel Core vPro processor for "full business productivity with up to 2.5 times the performance," which "lock[ed] the PC's Virtual Front Door with More than Password Protection."
Unbeknownst to consumers purchasing Affected Devices, Defendant's microprocessors were defectively designed, exposing Plaintiff and Class Members' sensitive information to adversaries through at least two types of security vulnerabilities, dubbed "Meltdown" and "Spectre."
Meltdown affects virtually every machine that runs an Intel processor, or millions of machines world-wide, as it is imbedded in nearly all of Intel's "out-of-order" execution microprocessors manufactured since 1995. Adversaries exploiting the Meltdown flaw attack the processors "out-of-order" execution to read arbitrary kernel-memory locations, including personal data and passwords. A Meltdown attack is independent of the operating system and does not rely on software vulnerabilities, which allows it to bypass security assumptions based on address space isolation and paravirtualized environments. An adversary that uses Meltdown to infect a system may readily access and read (without user permissions or privileges) the memory of other processes in that machine or the processes of linked virtual machines (i.e., those in the cloud). In addition to Microsoft and other software manufacturers releasing patches, Defendant purports to have released software patches through original equipment manufacturer ("OEM") partners, which purport to protect 90 percent of machines affected by Meltdown. The patches, however, are not 100 percent secure and has been shown to decrease the performance of the Intel microprocessor by as much as 30 percent. There are also growing reports that the patches are causing significant machine instability.
Spectre, meanwhile, exploits modern processor branch prediction and speculative execution by instructing the microprocessor to execute the destination of a branch ahead of time and then guessing the branch destination, depend on the memory value being read. The processor either discards wrong speculative guesses, or if right, commits to the speculative computation when the memory value finally arrives. Speculative logic, therefore, has access to the machine's memory and registers and performs operations. Spectre exploits this access. In a successful attack, the adversary induces the victim to "speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary." Because Spectre accesses memory registers and performs software operations, securing devices affected by Spectre requires each individual software vendor update its potentially vulnerable applications. Spectre, therefore, is a difficult fix, and a problem that "will haunt us for quite some time."
Defendant's microprocessors are defective because they expose sensitive consumer data to adversaries through the Meltdown and Spectre security vulnerabilities. Moreover, Intel has thus far been unable to offer consumers who purchased Affected Devices an effective repair or alternative solution. Intel itself admits that patches released for Meltdown and Spectre has caused instability in both newer and older machines. Based on these issues, Intel has even gone so far as to advise consumers to stop installing current versions of its Spectre and Meltdown patches. Defendant's defect microprocessors exist in nearly every Intel central processing unit (CPU) manufactured in the last 23 years, and thus, Affected Devices include most personal computers, laptops, smartphones, tablets, and servers in use today.
Consumers, including Plaintiff and all members of the proposed Class, are consequently left between a rock and a hard place, forced to choose between: purchasing a new machine with a processor that does not contain the design defect; continuing to use Affected Devices with significant security vulnerabilities; or utilizing a "patched" machine that is not 100 percent secure, which also may suffer from significant performance degradation or other instability issues.
Intel's conduct deprived consumers of the ability to make a meaningful choice from among competing processor products. Had consumers known of Intel's defectively designed processors prior to purchase, consumers likely would have opted to purchase AMD or ARM processors, which are not affected by the Meltdown flaw and are often priced below comparable Intel processors.
Plaintiffs and the Class it seeks to represent are consumers who purchased Affected Devices. This lawsuit is brought to challenge Intel's unfair business practices and practices pursuant to the consumer protection laws of Rhode Island. Plaintiff also brings a claim for: breach of express and implied warranty of marketability; unjust enrichment; and negligence.
Plaintiff requests the Court find Intel's business practices constitute unfair business practices and enjoin Intel from selling affected machines in the future.
Later in the court filing, the Plaintiff uses Intel's own ads against them. Although the lawsuit pointed to 6 particular ads, we present two of them as noted above. The Plaintiff added the following in their complaint in relation to the ads:
"Intel regularly touts the security of its processors in its marketing materials. For example, Intel advertises that its processors offer "Data Protection with Hardware-assisted Security" and ensures "data protection through innovation." In one instance, Intel emphasizes a "key component" of its approach to security is "providing more robust, vulnerability-resistant platforms. Security features are embedded in the hardware of Intel® processors, including three of Intel's newest server processors – the Intel® Xeon® processor E3 v3 family, the Intel® Xeon® processor E5 family, and the Intel® Xeon® processor E7 family, as well as the latest generation Intel® Core™ vPro™ processors." Intel's advertisements routinely focus on security measures built into its processors.
In June 2017, Intel learned its microprocessors suffered from several defects that allowed adversaries to access secure consumer data. These defects, colloquially known as Meltdown and Spectre, rendered Affected Devices unfit for their intended use."
The Class action was filed in San Jose California in the county of Santa Clara. The Presiding Judge is noted as being Beth Labson Freeman and the referring Judge noted as being Nathanael Cousins.
On January 8th Patently Apple posted a report titled "Intel gets hit with a String of Class Action Lawsuits over Meltdown and Spectre Security Flaws found in their Processors," which marked the first wave of Class Actions filed against Intel.
About Comments: Patently Apple reserves the right to post, dismiss or edit comments. Those using abusive language or negative behavior will result in being blacklisted on Disqus.