Apple gets lawsuit over Meltdown and Spectre dismissed
Judge finds security is not a central feature of iDevices
A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.
The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.
Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."
"Apple’s implementation of speculative and out-of-order execution allegedly allows bad actors to access sensitive data that would normally need to process through security checks or require isolation within the OS," the complaint says, adding that Apple had been informed about the flaws in June 2017 and continued selling devices with vulnerable silicon without informing customers.
But on Wednesday, US District Judge Edward Davila, based in San Jose, California granted Apple's motion to dismiss the case, citing the plaintiff's failure to demonstrate that security is a central function of Apple's products, among other legal deficiencies.
To explain his rationale, he cited an ongoing lawsuit filed in Oregon against Intel over Meltdown and Spectre.
"Most notably and relevant here, the District of Oregon – in reviewing a CLRA [California's Consumers Legal Remedies Act] omissions claim based on similar allegations against Intel processors regarding the Spectre and Meltdown defects – held that security vulnerabilities are not central to a processor’s function," Judge Davila said in his order [PDF].
"In so holding, Judge [Michael] Simon [of the US District Court of Oregon] distinguished the alleged security vulnerabilities from the processors’ central function, which is to process and be the 'brains' of the devices in which they are placed."
- Another data-leaking Spectre bug found, smashes Intel, Arm defenses
- Intel fails to get Spectre, Meltdown chip flaw class-action super-suit tossed out
- If you've got Intel inside, you probably need to get these security patches inside, too
- Do you want speed or security as expected? Spectre CPU defenses can cripple performance on Linux in tests
The Oregon judge, Davila said, found it relevant that there was no allegation that these supposedly defective Intel processors had ever corrupted, lost data, or led to a computer crash. And even following the disclosure of Meltdown and Spectre, Judge Simon observed, people continued to buy devices with the affected processor "without any alleged security breaches as a result of the defects."
In granting Apple's motion to dismiss, Judge Davila left the plaintiffs the opportunity to refine their allegations and refile their claim by the end of the month.
An attorney for the plaintiffs did not immediately respond to a request for comment.
The similar complaint against Intel in Oregon survived a motion to dismiss early this year because Judge Simon found the plaintiffs' claim that Intel delayed revealing Meltdown and Spectre to protect holiday season sales credible enough to allow the case to continue. ®
- AdBlock Plus
- Advanced persistent threat
- Alder Lake
- Apple M1
- App stores
- Black Hat
- Bug Bounty
- Cisco ACE
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Integrated Circuit
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Pat Gelsinger
- Programming Language
- Remote Access Trojan
- Retro computing
- RSA Conference
- Search Engine
- Software License
- Tim Cook
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- Zero trust