It’s Official: The BIOS Source Code Intel Alder Lake was leaked and Intel has confirmed it. A total of 6GB of code used to build the BIOS/UEFI source code is now out in the wild, having been posted on GitHub and 4chan.
Intel doesn’t seem too concerned, but security researchers are now hard at work trying to see if this can be used maliciously. If you have an Alder Lake CPU, should you be concerned?
I can’t believe: NDA-ed MSRs, for the newest CPU, what a good day… pic.twitter.com/bNitVJlkkL
— Mark Ermolov (@_markel___) October 8, 2022
News of the leak broke a couple of days ago when the code was found in a public GitHub repository, as well as shared on 4chan. The 6 GB file contains some of the tools and code that Intel has used to build the BIOS/UEFI on their Alder Lake CPUs. Since these are some of the best processors out there today, this could put many Intel customers at risk.
The BIOS/UEFI source code is responsible for initializing the hardware even before the operating system has a chance to load. As such, it is responsible for establishing secure connections to important mechanisms within the computer, such as the Trusted Platform Module (TPM). The BIOS plays an important role in any computer, so it’s certainly not a good thing that the source code can now be in the hands of nefarious threat actors.
It was initially unclear if the leaked file was the real deal, but Intel itself has now confirmed that to be the case. In a statement issued to Tom’s HardwareIntel said:
“Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this will expose any new security vulnerabilities, as we do not rely on information obfuscation as a security measure. This code is covered by our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who can identify potential vulnerabilities to bring it to our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.”
Intel’s statement implies that the most sensitive data had already been stripped from the source code before it was released to external partners. The source code contains many references to Lenovo, including “Lenovo String Service”, “Lenovo Cloud Service” and “Lenovo Secure Suite”. bleeping computer notes that all code was developed by Insyde Software Corp.
While this leak sounds pretty bad, Intel doesn’t seem too concerned, though it’s nice that it refers everyone to its bug bounty program. Many security researchers are already looking for cracks in the code, and some of the findings are less optimistic.
Hardware security firm Hardened Vault told Bleeping Computer: “The attacker/bug hunter can greatly benefit from leaks, even if the leaked implementation [del fabricante] it is only partially used in production. Insyde’s solution can help security researchers, bug hunters (and attackers) find the vulnerability and easily understand the result of reverse engineering, adding to the long-term high risk to users.”
Since a KeyManifest private encryption key was found in the leak, it is possible that hackers could use it to bypass Intel hardware security. Even so, it’s still a pretty long shot, so you probably don’t need to be too worried.
In any case, it is worth staying safe with some antivirus software to ensure that no attacker can access your computer and subsequently the BIOS.