Class Action Lawsuits Over Meltdown and Spectre CPU Bugs

Dani Alexis Ryskamp, J.D.

Written by
— Updated on June 23, 2020

Class Action Lawsuits Over Meltdown and Spectre CPU Bugs

Meltdown Lawsuit

Intel, Apple, and AMD currently find themselves facing what may be the most far-reaching class action lawsuits of our time.

The class actions all focus on two major security flaws, dubbed “Meltdown” and “Spectre,” which affect nearly all Intel processors dating back to 1995. The bugs make it possible for hackers to access sensitive data that is ordinarily protected by the computer’s hardware.

Intel’s technology underpins the majority of processors in use today. As a result, the Meltdown and Spectre bugs affect hardware and software produced by a wide range of companies, including not only Apple and AMD, but ARM, Nvidia, Google, and even Microsoft.

A Short History of Meltdown and Spectre

In non-affected systems, CPUs use a process called “speculative execution”  in which the chip guesses what information the computer will need to perform its next function. As the chip guesses, the information it’s “guessing” is momentarily easier to access.

Normally, the guessed information is protected by the processor – not unlike how a person’s guess is “protected” by remaining inside their private thoughts. Meltdown and Spectre, however, offer two ways for hackers to access that guess and exploit the information it contains.

According to the class action lawsuit filed against Apple, “The first hacking technique is known as ‘Meltdown’ because it ‘melts security boundaries which are normally enforced by the hardware,’ and the other hacking technique is known as ‘Spectre’ because its root cause is speculative execution, and ‘because it is not easy to fix, it will haunt us for quite some time.’”

The Meltdown bug appears primarily in Intel processors, but it has a long history: Processors made as early as 1995 have been deemed affected by the bug. Spectre has a shorter history but a broader reach, affecting processors made by companies like AMD as well.

Identifying the Bugs, Filing Lawsuits: What Happened

Google claims to have informed Intel and other affected companies about Spectre on June 1, 2017, and to have reported Meltdown by July 28. Both companies, however, appear to have avoided any public statements until early 2018, when leaked news about the bugs caused Intel’s stock price to drop by 3.4 percent.

The first class-action lawsuits against Intel were filed in early 2018, only days after information about the bugs became public. A class-action lawsuit against Apple appeared a few days later. AMD became a defendant in yet another class-action by mid-January 2018 as well.

The class action lawsuits against Intel, Apple, and AMD all raise similar concerns: What went wrong? When did the respective defendants know about it? Did they respond appropriately? And are the proposed cures worse than the initial flaws?

The last question is particularly troublesome. To fix the Meltdown and Spectre bugs, the system’s method of handling core memory must be altered. Early tests of patches revealed that while most desktop applications showed no signs of slowed performance, storage I/O operations speeds dropped by 2 to 7 percent in some systems, and some enterprise applications slowed significantly. In January 2018, Microsoft stopped offering the early patches altogether after reports that the patches had made some PCs unbootable.

An attorney for the plaintiffs in the Intel suits has called Meltdown and Spectre “one of the largest security flaws ever facing the American public.”

The Experts’ Perspective

Users whose computers, smartphones, tablets, or other devices are affected by the Meltdown or Spectre bugs can download a patch and update their operating systems, according to Intel and AMD. To do this, users won’t need an in-depth understanding of either flaw; they’ll only need to know how to update their devices.

Fact-finders in the class action lawsuits, however, will need more information. They’ll need to understand the nature of the flaws and how they are identified. Because Meltdown appears to affect processors back to 1995, judges and jurors will need to understand how processor technology has developed over the previous 25 years. They’ll need to know how soon troubleshooters like the Google team could have identified the problem, and they’ll need background on how companies like Intel and AMD typically check for flaws.

Imparting all this information will require the work of lawyers who can structure a case well and expert witnesses who can fill in the technical details. While the details may seem dry to non-technically-minded jurors, they can be woven into a compelling story with sufficient attention to an expert’s qualifications and performance while testifying.

Leave a Reply

Your email address will not be published.

I am an