Intel has confirmed that Alder Lake’s BIOS source code has leaked online. Having originated from 4chan and GitHub late last week, the content reportedly comprises 6 GB of tools and source code, material that can be used to build and optimize BIOS/UEFI images. New security vulnerabilities aren’t expected from this incident, according to an official statement that Intel sent to Tom’s Hardware.
“Our proprietary UEFI code appears to have been leaked by a third party,” Intel’s statement reads. “We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.”
The source code to the Intel Alder Lake has been leaked online.— vx-underground (@vxunderground) October 8, 2022
* Alder Lake CPU was released November 4, 2021
* Source code is 2.8GB (compressed)
* Leak (allegedly) from 4chan
* We have not reviewed the entirety of the code base, it is massive
From a Tom’s Hardware report:
The BIOS/UEFI of a computer initializes the hardware before the operating system has loaded. Among its many responsibilities, the BIOS establishes connections to certain security mechanisms, like the TPM (Trusted Platform Module). Now that the BIOS/UEFI code is in the wild and Intel has confirmed it as legitimate, both nefarious actors and security researchers alike will undoubtedly probe it to search for potential backdoors and security vulnerabilities.
Intel hasn’t confirmed who leaked the code or where and how it was exfiltrated. However, we do know that the GitHub repository, now taken down but already replicated widely, was created by an apparent LC Future Center employee, a China-based ODM that manufactures laptops for several OEMs, including Lenovo. Additionally, one of the leaked documents refers to “Lenovo Feature Tag Test Information,” furthering the theories of the link between the company and the leak.
Intel launched its first Alder Lake CPUs in November 2021, introducing a new hybrid architecture that leverages two distinct types of cores: Performance-cores and Efficient-cores. Security researchers, including Mark Ermolov, have already been busy analyzing the leaked code, with the private signing key used for Intel’s Boot Guard being a notable find thus far.