Skip to Main Content

KTMC Seeks to Hold Accountable for Security Vulnerabilities in its CPUs

By Jennifer L. Joost, Esquire

On January 2, 2018, consumers learned for the first time that confidential information stored in their computer was vulnerable to a new set of security attacks known as Spectre. Spectre gets its name from “speculative execution” and the fact that these types of attacks likely will “haunt” the industry for some time.

Spectre and other similar security attacks (known as Meltdown and Foreshadow) take advantage of techniques used by semiconductor companies like Advanced Micro Devices Inc. (“AMD”) to optimize the speed of central processing units (“CPUs”) they design and manufacture for installation into desktops, laptops, and servers, among other devices.

CPUs are the “brains” of the devices they power, performing all the necessary calculations for each application running on the device. The CPU fetches, decodes, executes, and “writes” the result of the instructions required by the application utilizing the data temporarily stored in its “caches.” Each step in the process taking at least one “clock cycle.” The number of clock cycles a CPU completes per second is known as the “clock rate” and the rate at which a CPU processes instructions is known as “clock speed.” AMD frequently touted the clock speed of its processors, making it an important specification for consumers deciding which CPU to purchase.

Since the mid-1990s, companies like AMD have relied on techniques to optimize the speed at which CPUs process instructions in order to achieve the advertised clock speed. For instance, to ensure that a CPU is never idle, AMD CPUs process instructions out of order based on whatever data currently is available (known as “out of order execution”), in a manner similar to how students are taught to take standardized tests (e.g., answer the questions you know first before going back to answer the questions that require more thought). However, if an instruction is conditional (e.g., “If X, then Y”), it has to be completely processed before the CPU can determine what to do next. To address this problem, AMD has equipped its CPUs with the ability to predict what it will need to do next (known as “branch prediction”) and execute those instructions while it is processing the conditional instruction (known as “speculative execution”). If the CPU guesses correctly, it will have saved itself time and improved its processing speed. If the CPU guesses incorrectly, then it “flushes” all the work it has done based on the prediction, and proceeds to process the correct instructions.

Critically, without out of order execution, speculative execution, and branch prediction, AMD’s CPUs would not be able to reach advertised clock speeds. But, AMD’s implementation of these techniques in its CPU design created a massive security vulnerability. When a CPU mispredicts and speculatively executes instructions down the wrong path, the data associated with those instructions remains in the CPU’s caches — which are completely unsecured — even after the CPU has “flushed” all the work it has done based on that data. Accordingly, if an attacker can trick the CPU into mispredicting its next steps, and speculatively executing instructions down the wrong path, he can ensure that the confidential data he is seeking to acquire is deposited in the CPU’s unsecured caches, ready to be siphoned out through what is known as a “side-channel” attack.

While AMD has known about the vulnerability posed by its reliance on speculative execution and branch prediction, and the fact that it did nothing to secure its CPUs’ caches, since at least 2005, consumers were not aware that the Company sacrificed security for speed in designing its CPUs until January 2018, when the Spectre exploits first became public knowledge.

Initially, AMD denied that its CPUs were vulnerable to Spectre attacks, only to concede they were impacted several days later. Barring a complete redesign of its processor, “patches” are the only solution available to address the security vulnerability created by AMD’s design. The patches released to date do not fully address all Spectre variants and are not available for older processors, leaving certain consumers’ sensitive information vulnerable to Spectre and similar exploits. Moreover, once installed, the patches negatively impact the processing speed of AMD’s CPUs, leaving consumers with a product that performs at slower speeds than they paid for.

Two weeks after the world learned about Spectre, on January 17, 2018, Kessler Topaz Meltzer & Check LLP filed a class action lawsuit on behalf of purchasers of AMD CPUs and devices powered by AMD CPUs in the United States District Court for the Northern District of California. After the Court appointed the Firm interim co-lead counsel, Kessler Topaz filed a consolidated class action complaint (“CAC”) asserting claims under the California, Florida, and Massachusetts consumer protection laws, among others, and seeking relief on behalf of a nationwide class of individuals or entities that purchased AMD CPUs or devices powered by AMD CPUs. Defendants moved to dismiss certain of the claims alleged in the CAC on July 13, 2018, which the Court recently granted with leave to amend the CAC.

Discovery is ongoing in the case, with the Court recently denying Defendant’s request to stay the production of documents concerning AMD’s knowledge of the security vulnerability. Plaintiffs will file an amended complaint in the next few weeks.