Intel was sued by consumers, claiming that the chipmaker knew that there was a Downfall vulnerability but still sold chips on the market. Intel CPU users complained that the company was aware of the potential existence of the Downfall vulnerability, but did nothing.
Before discussing this lawsuit, let’s review what Downfall is. As mentioned previously, this vulnerability specifically affects workloads that use AVX2/AVX-512 collective instructions. Intel revealed that "Downfall" has a greater impact on the older generation TigerLake/IceLake series products. Simply put, the vulnerability exposes hardware registry contents, potentially leading to large-scale data theft. Because vulnerabilities are so common in the industry, they are not considered the company's fault and are usually mitigated quickly.
However, according to a lawsuit filed by five Intel CPU buyers, Intel has known about the AVX side-channel vulnerability since as early as 2018. In addition, the company did not tend to fix the vulnerabilities in the architecture until Downfall was discovered. This not only put the security of millions of users at risk, but also caused the sequelae of the vulnerability to cause the processor to drop by 50% in some application scenarios.
The complaint alleges that in the summer of 2018, while Intel was working on Specter and Meltdown, the manufacturer received two separate vulnerability reports from third-party researchers warning that the microprocessor giant's Advanced Vector Extensions (AVX) instruction set (which allows Intel CPU cores to operate on multiple blocks of data simultaneously, thereby improving performance) was vulnerable to the same side-channel attacks as the other two critical flaws.
The applicant's argument shows that Intel was aware of the "vulnerability" early on and made no effort to fix it despite knowing it might exist five years ago. In addition, Intel is said to have implemented a "secret buffer" related to these instructions, whose basic purpose is to temporarily suppress the threat of the vulnerability. Instead of solving the problem, this has exacerbated the problem and led to attacks such as data theft.
These secret buffers, combined with the side effect of remaining in the CPU cache, opened what amounts to a backdoor mechanism in Intel's CPUs, allowing attackers to exploit AVX instructions to easily obtain sensitive information in memory, including encryption keys used for Advanced Encryption Standard (AES) encryption, which is the very design flaw that Intel allegedly fixed after the Specter and Meltdown incidents.
Intel has yet to respond to this claim, but it is a serious accusation against the company because it shows that Intel clearly has "no care" about potential backdoors and vulnerabilities in its architecture, putting both consumers and businesses at risk. However, we can't draw a conclusion yet, because as the saying goes, "no suspicion leads to guilt."