An unidentified Quebec restaurant is among those trying to sue Intel Corp. over the Meltdown/Spectre processor flaws which infosec teams are busy trying to patch.
The restaurant is a numbered company named in court documents as 9085-4886 Quebec Inc., which will ask a Superior Court judge in Montreal to certify a class action lawsuit against Intel of Canada, Intel International and the parent Intel Corp. for as yet unspecified damages on behalf of all Quebec residents who purchased or leased an Intel-powered x86-64 device or CPU.
The application for certification of the class action also demands Intel “recall, repair, and/or replace the Intel Processors free of charge.”
According to industry experts, the current generation of Intel chips include the flaw and cannot be replaced or repaired. They say it will take a new generation of CPUs to permanently get rid of the problems. However, Intel has released some patches and Microsoft and some Linux distributions are issuing patches to mitigate.
The application was filed January 8 by the Montreal law firm Consumer Law Group. Three separate class-action lawsuits against Intel have been filed in California, Oregon, and Indiana. UPDATE: On Jan. 16 a New York law firm announced it will seek court approval for a class action suit against chipmaker AMD for damages, while a California law firm has also started a class action suit there against AMD. Separately a Northern California court has been asked to certify a class action suit against Apple products with ARM-based processors.
In the Quebec application it is alleged that Intel “designed, developed, manufactured, licensed, marketed, distributed, promoted, sold and/or warranted Intel Processors which contain security flaws that may be exploited by hackers to access class members’ personal and/or private information, such as passwords, usernames, security keys, credentials, cryptographic keys, social security/insurance numbers, personal photos, credit card and banking information, emails and other data.”
It is also alleged Intel effectively knew about the design defect since at least June 1, 2017 “and should have known about the design defect significantly earlier than that, yet they intentionally made the business decision to not disclose its existence to consumers.”
The application says Intel hasn’t offered to compensate consumers to remedy their damages. Instead, it says, members of the class to be represented in the suit have been asked to download a “patch”, which will “dramatically degrade the CPUs’ performance and slow the electronic device down by between five to 30 per cent.”
The allegations have not been proven in court. Intel has yet to file a statement of defence.
In an email, lawyer Andrea Grass, who acts for the numbered company, said it is not unusual for a company to represent the class members in a class action.
In Quebec, she said, class actions operate on an opt-out basis, meaning that all class members are included unless they specifically exclude themselves. The plaintiff represents all Quebec residents that purchased and/or leased, either alone or as part of an electronic device, an Intel processor with x86-64 architecture. “This basically means that the plaintiff represents all Quebec residents with a smartphone, laptop, and/or desktop computer (all Quebec residents). This would basically mirror the population of Quebec, which was estimated at 8,425,996 in 2017,” Grass said.
The Quebec application may not be the only one launched in this country. In provinces that allow class actions (only PEI doesn’t) a judge first has to certify a class action before the civil lawsuit can go ahead. So far no other class action has been filed in another province or territory. Note that unlike the United States, where class action lawsuits in several states can be consolidated, class action suits against the same defendant(s) filed in different provinces might proceed separately, one law firm has noted. That’s because Quebec has a civil law system, while the other jurisdictions follow British-based common law.
In an interview this morning Imran Ahmad, who focuses on cybersecurity, technology and privacy law at the Miller Thompson law firm, said he wouldn’t be surprised if similar class actions suits in other provinces are filed soon.
While it has been only two weeks since the vulnerabilities were publicly disclosed, Ahmad said it isn’t early for a law firm to file a class action application. “If you look at the history of class actions generally it’s the moment when you have an issue … right away you have class actions filed. And the reason is the first class action that gets filed is the one that’s going to be leading the class … Better to file something and amend it (the claim) over time than wait for the right information to come.”
Intel has made no public statement that CPU performance could take a hit by as much as 30 per cent. That number was mentioned in the first news report of the flaw made Jan. 2 by The Register, which gave no attribution to where the figure came from.
Intel has said in some tests there could be a 10 per cent performance impact (see below). An organization might have to spend money to increase a system’s processing power to compensate for any performance hit it might see from a patch. The cost of that could be among the damages a class action group could seek. There also could be costs if a patch or a registry change needs to be manually installed, costs which a plaintiff could also try to recover.
On Jan. 10 Intel did say that “the performance impact of the patch mitigation on its 8th generation platforms (code-named Kaby Lake, Coffee Lake) with solid state hard drives “is small. Across a variety of workloads, including office productivity and media creation as represented in the SYSMark2014SE benchmark, the expected impact is less than six per cent.”
“In certain cases, some users may see a more noticeable impact. For instance, users who use web applications that involve complex JavaScript operations may see a somewhat higher impact (up to 10 per cent based on our initial measurements). Workloads that are graphics-intensive like gaming or compute-intensive like financial analysis see minimal impact.”
The impact on the 7th Generation Kaby Lake-H mobile processors is similar, Intel said. For the 6th generation Skylake-S platform the performance impact is slightly higher, but generally in line with what Intel tested on its 8th and 7th generation CPU platforms (approximately 8 percent on the SYSMark2014SE benchmark), the company added.
The same benchmark test on a Windows 7 platform “is small (approximately 6 per cent on the SYSMark2014SE benchmark),” it added. The observed impact is even lower on systems with spinning disk hard drives, Intel says.
On Jan. 11 Intel said that by Monday Jan. 15 it will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these processors available by the end of January. After that, it will then focus on issuing updates for older products as prioritized by customers.
On Jan. 9 Microsoft said as of that date patches for 41 of 45 version of Windows were available, with the rest coming soon. It also noted that some benchmark tests published up to that data had not included systems with both operating system and processor updates. Some Windows 10 systems tested showed “single digit” slowdowns, it said, but in practice , this amounts to milliseconds. Older Win10 systems running benchmarks “show more significant slowdowns, and we expect that some users will notice a decrease in system performance.”
“Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance,” Microsoft added. “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.”
Intel first publicly acknowledged the problem Jan. 3 after news broke in The Register. The next day it began issuing patches. In initial statements Intel said it “continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.”
Intel was told about the flaws and vulnerabilities June 1, 2016 by Google’s Project Zero.
Meltdown and Spectre exploit three vulnerabilities in CPU kernel memory from computing processes designed to speed up calculations. Meltdown largely affects Intel processors. Spectre affects Intel, AMD and ARM processors. In some cases vulnerabilities can be exploited through browsers, which have to be patched by makers include Microsoft, Mozilla Apple and Google. The Quebec class action application alleges “there is no known fix or patch” for Spectre. If exploited an attacker could read sensitive data such as passwords held in memory.
Details by researchers of the flaws and potential exploits are on this site.
(This story has been updated to make it clear the Quebec numbered company is the incorporated name of the restaurant)