Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Intel The Courts

Intel Hit With More Than 30 Lawsuits Over Security Flaws (reuters.com) 99

Intel said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips. From a report: Most of the lawsuits -- 30 -- are customer class action cases that claim that users were harmed by Intel's "actions and/or omissions" related to the flaws, which could allow hackers to steal data from computers. Intel said in a regulatory filing it was not able to estimate the potential losses that may arise out of the lawsuits. Security researchers at the start of January publicized two flaws, dubbed Spectre and Meltdown, that affected nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM.
This discussion has been archived. No new comments can be posted.

Intel Hit With More Than 30 Lawsuits Over Security Flaws

Comments Filter:
  • by fattmatt ( 1042156 ) on Friday February 16, 2018 @12:32PM (#56135776)

    I can't wait to get my $3 !!

    • by Anonymous Coward on Friday February 16, 2018 @12:45PM (#56135852)

      Change log:
      2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

      Intel CPU Backdoor Report
      The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

      What we know about Intel CPU backdoors so far:

      TL;DR version

      Your Intel CPU and Chipset is running a backdoor as we speak.

      The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

      30C3 Intel ME live hack:
      [Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
      @21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

      [Quotes] Vortrag [events.ccc.de]:
      "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

      "We can permanently monitor the keyboard buffer on both operating system targets."

      Decoding Intel backdoors:
      The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

      If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

      Backdoor removal:
      The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
      Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

      2017 Dec Update:
      Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode [ptsecurity.com], use me_cleaner [github.com] with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit [github.com].

    • I already know I don't have it in me to take Intel to court, but I'm pretty peeved since I bought an i5-7500 right before this stuff was announced (and you can't return processors anywhere). It knocked about 5% off the performance and I would have waited until the next gen stuff was out this year or next (or bought a Ryzen) if I'd known.
    • by AmiMoJo ( 196126 )

      Does the existence of a class action stop you suing them yourself?

      I'm using small claims court. Cheap and effective.

      • Does the existence of a class action stop you suing them yourself?

        Yes, if you don't take efforts to opt out of them all. Class action lawsuits are auto-opt-in, you have to personally track down and remove yourself from the list of people on each one to be able to sue because you can't sue twice. This means that while actual damages were around 70% of the cost paid for any Intel CPUs over the years (since that's the power loss and false advertising they conducting) you'll get a couple cents, if you explicitly state that, and the lawyers will get the rest. This class act

      • None of these are class actions yet, whenever you see a story in the media that claims "some number of class actions suits were filed" you should know without looking at the details that it is not true as claimed.

        You have to file an individual claim, with an individual cause of action. That is the thing that you "file" with the help of your lawyer. Then you ask the court to Certify a Class of plaintiffs that have been harmed in the same way. If the Court says yes, they will then rule on what the class actua

      • by rtb61 ( 674572 )

        I don't know. Some bloody big companies got hacked et al. Some real deep pocketed companies, even they profit with a class action. So, so, many big companies, the losses way and beyond CPU price. So the question for the big players, take as much as you can without killing Intel or strip mine it for it's assets, it could be that bad. No need to panic yet, as the civil proceeding will likely take many years but in the end, it doesn't look good for Intel.

    • Re: (Score:3, Interesting)

      by Fly Swatter ( 30498 )
      It will be a $3 coupon good only towards a future Intel processor, which may actually be a fixed version, the kicker is it will be $30 more than current prices to cover the class action lawyer fees. You'll also need a new motherboard with that, oh and they changed the memory design again. Yep we are all winners here.
    • Class actions aren't for compensation. They're for deterrence and changing incentives.

    • I got $27 last year from a class action because some shady "collection agency" called my cell phone a bunch of times trying to collect on an invalid "debt."

      The reason that you'd be lucky to get $3 is that Intel didn't promise that their chips could output some number of math answers per second in a secure way, they only sold you a CPU that does all the instructions they promised it does.

      Numerous combinations of CPU instructions might turn out to not do what you wanted them to do, if you wanted a different t

    • by Anonymous Coward

      Why $3?

      If I bought (as I did) a system/CPU that was top of the range at the time and paid a premium price for it - and now have to run patches that slow it by 50% to "sort" Meltdown and Spectre problems - then the comparison and recompense should be in line with a system/CPU that ran at 50% of the performance and was available at the time of the original purchase. In which case the difference/reasonable compensation could be several hundred dollars per CPU.

  • by OrangeTide ( 124937 ) on Friday February 16, 2018 @12:33PM (#56135786) Homepage Journal

    I'm pretty sure Intel never made promises that it was a highly secure chip. They mainly market on power and performance.

    • It has, many many times.
      Intel TXT, NX bit, Intel MPX, Intel Secure Key, Intel SGX, Intel KPT, IIRC MSRs, Intel Management Engine(this one is very secure)
      • Did they ever claim that it was resilient against side channels?

        The SGX one is perhaps the most interesting of these, because Spectre can allow disclosure of unencrypted memory from SGX enclaves, which makes them largely useless. If you bought processors specifically for the SGX functionality then you may be entitled to a refund along the lines of the refund when they disabled HTM in Haswell. Microsoft bought quite a lot of Intel chips for Azure for this reason, which could get interesting.

      • by Anonymous Coward

        Then off with their heads!

    • by Anonymous Coward

      ENGINEER: (ENTERING MANAGER'S OFFICE) "Sir. We seem to have found a vulnerability in the new chip design"
      MANAGER: "What sort of vulnerability?"
      ENGINEER: "Well, when a computer is connected to the Internet...."
      MANGER: (INTERRUPTING) "Stop right there." (HOLDS DOWN BUTTON ON INTERCOM) "Call the lawyers and have them see if we promise the chips to be secure when attached to a network." (TURNS TO ENGINEER) "Is there anything else?"
      ENGINEER: (GRINNING) "No sir. Thank you for your time." (LEAVES)
      MANGER: (MAKES S

    • try that in America where we do Jury trials for a lot of these sorts of things and it'll blow up in your face. The rest of the world that might work though.
    • And Ford never formally states that their cars don't explode if used on alternate Thursdays. Fortunately, reasonable assumptions about a product are reasonable and actionable.

  • by Anonymous Coward on Friday February 16, 2018 @12:37PM (#56135808)

    I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity. Please do not encourage the spread of this misinfo. It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.

    https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html

    • Don't fall for Intel's PR tactics.

      Meltdown is much worse than Spectre and Meltdown is an Intel only flaw.

    • by Anonymous Coward

      It is important to understand what processors are safe and what processors are affected by Meltdown and Specter's 2 variants.

      https://www.networkworld.com/article/3246707/data-center/meltdown-and-spectre-how-much-are-arm-and-amd-exposed.html

      That article contains errors. In particular, the article claims that AMD processors are "potentially vulnerable to only one of the three variants of Meltdown". This is incorrect for two reasons.

      (1) There is only one "variant" of Meltdown. Presumably, the author mistakenly considers Spectre Variant 1 and Spectre Variant 2 to be "variants" of Meltdown.

      (2) According to AMD's own statement [amd.com] (which is linked in the article), AMD processors are immune to Meltdown, but vulnerable to both variants of Spectre.

    • by Khyber ( 864651 )

      "I'm sure everyone reading this already knows the obvious, but AMD is not affected by Meltdown in any capacity."

      This theoretically isn't true. A DPA attack might be enough to open a hole for Meltdown-style problems.

  • Warning: Should a future vulnerability be discovered in this technology--which is almost certainly incomprehensible to you anyway and may as well be considered "magic"--corrective updates may impact advertised performance.
  • 30 sounds low. Throw the book at 'em!

  • Mistake 1: A major engineering design flaw.

    Mistake 2: Neglected to force their users to enter into a binding arbitration agreement before using the CPUs.

    • Wouldn't have helped. Don't forget that Intel found out about this at least seven months before it was revealed, which means for seven months it continued selling processors it knew were defective without disclosing that face.

      Any agreement it reached with people who bought chips during those seven months would be invalid, because withholding material information means there was no "meeting of the minds".

  • by Anonymous Coward

    No purchases until hardware fix.

  • by Anonymous Coward

    Lovely bug that can't be fixed by microcode. Millions of flawed CPUs out there. What's the technology that pushes native code to run in web browsers called again? Can't wait for that clusterfuck to happen.

  • by swb ( 14022 ) on Friday February 16, 2018 @01:05PM (#56135986)

    Will they have to actually demonstrate a material loss resulting from a security breach associated with the flaw, including some kind of material proof that the flaw was actually the cause of the breach?

    I'm kind of guessing time spent running around and patching probably isn't something they can sue for, otherwise MS would have been out of business ages ago on this item.

    And what do they actually hope to get out of it? New CPUs not compatible with their existing motherboards? A cash payment based on the pro-rated cost of the microprocessor itself based on remaining life cycle?

    I can see the obvious desire to rake Intel over the coals and perhaps they deserve some of it, I just don't get how you can link any specific loss to this chip flaw, or if you can, it's extremely hard to prove.

    I'm also curious if there's not some general defense for Intel along the lines of "running a computing infrastructure involves dealing with bugs and flaws in hardware and software, problems will arise".

    • Exactly this.

      The harm is that when the user accidentally grants explicit access for some malware to run on their computer, now it can be 15% more naughty. That's bad, but pinning it on Intel is going to be hard, even if it is actually a bug. But it might not even be a bug, it might be a misfeature that the whole industry misunderstood. And it might not be a misfeature in the CPUs, but in many of the Operating Systems, who foolishly trusted things that were only assumed to be true, but had not actually been

  • by Voyager529 ( 1363959 ) <voyager529@yahoo. c o m> on Friday February 16, 2018 @01:24PM (#56136140)

    I mean, thinking this all through, it seems to be a frivolous exercise without some massive shift.

    Intel grossed over $60 billion in FY 2016. Even if each of these lawsuits requires Intel to pay $1 billion, and all of them are won, it's less than six months of revenue for them - not fun, but not the corporate equivalent of $150,000 in individual medical debt, either. Intel has enough in the bank to ride the storm, and simply bump up CPU prices by another 15% until the costs are paid...and then leave the prices there.

    In a perfect world, this would give AMD the golden opportunity to pick up the slack. The Ryzen line of processors has been met with a whole lot of favorable press; they could easily take over the i3/i5/i7 desktop/laptop markets from a performance perspective. However, AMD has spent the last decade scraping the bottom of the barrel with their A10 processors and similar, low performance CPUs that are almost synonymous with the sub-$400 laptop market, and the hatred that people associate with Windows machines. Even if the shelves at Best Buy became 50/50 between AMD and Intel (as opposed to right now, when there are more Xeon-based laptops available than Ryzen 5 and Ryzen 7 combined), it's going to take consumers quite a while to realize that AMD makes high end processors, too. Intel sales take a dip, sure, but I don't see AMD managing to truly eat at Intel's market in a way that leaves a lasting impact.

    The server room is still Intel's. Dell, HP, and Lenovo have dabbled in a few AMD-based machines (I've got a pair of Opteron-based R415's running as routers myself), but will AMD having misstepped with the Bulldozer architecture and certain server applications being all "we only support Intel", I don't see AMD making massive inroads there either. This is compounded by the likelihood that Dell ordering 0.8X Xeon processors from last year and making up the slack with newer Opterons is going to inevitably involve a higher per-processor price, making their servers more expensive, meaning that if Lenovo keeps their orders up, they will be cost favorable, leaving Dell less able to compete on price unless sysadmins really do start ordering AMD-based servers for their racks.

    Now, the one player that really could make a dent would be Samsung - there's not a laptop component they don't make except the processor at this point, so retooling their Exynos chip fabs to make an x86 processor that can compete with an i3 and deliver an end-to-end, single-manufacturer laptop or desktop is in the cards for them, certainly more so than any other manufacturer. If they can pitch one running Android and avoid a Windows license, even better. Even so, it's risky for Samsung, and although they can eat a pretty big loss, trying to capitalize on Intel while they are down and hoping that consumers end up buying a laptop sporting a CPU from relative newcomer is not the kind of gamble that risk-averse execs are likely to go full force on.

    In summary, Intel CPU processors will rise, AMD may well be capable of meeting demand but OEMs, retailers, sysadmins, and consumers are going to be a bit skittish about giving AMD a shot when Intel is a known quantity, and while Samsung could probably kick 'em while they're down, it's highly debatable that they will do so. In the end, Intel is likely to just raise prices and the world continues as normal.

    • Wow. You are a good corporatist there. You never mentioned the affected end users, just Intel and a few other mega corporations. Good job.
      • Wow. You are a good corporatist there. You never mentioned the affected end users, just Intel and a few other mega corporations. Good job.

        Affected end users aren't fabbing their own processors. Affected end users are in a position to decide how much they care, and whether they will buy not-Intel for their next computer. Affected end users may choose AMD, but are unlikely to do so in an impactful manner. Affected end users may have the option to purchase from Samsung if Samsung decides to enter the market. Affected end users will likely end up paying more for Intel, as Intel is likely to simply increase costs to affected end users in order to

        • by swb ( 14022 )

          Stop making sense. Just climb onto the pro-AMD/anti-Intel bandwagon and brigade against the man!

          We were promised perfection by Intel, and by God we will scream until we get it.

          • They said if I bought a used 8088, my computer would run "too slow" to do anything, but I still did stuff.

            They said if I bought a 386SX, my computer would run "too slow," but it didn't.

            They said if I bought Cyrix, my computer would run "too slow," but GCC didn't care and neither did I.

            They said if I bought AMD, my computer would run "too slow," but I had long stopped listening and just kept using the tool.

            The truth is that most of what I use my computer for I could be doing on a microcontroller if it was al

Never test for an error condition you don't know how to handle. -- Steinbach

Working...