Intel says leaked Alder Lake BIOS source code is authentic

Intel says leaked Alder Lake BIOS source code is authentic

Image:
Intel says leaked Alder Lake BIOS source code is authentic

The leaked file reportedly includes source code, private keys, change logs, and multiple compilation tools

Intel has confirmed that the Alder Lake BIOS source code leaked by an unknown third-party on 4chan and Github is authentic.

"Our proprietary UEFI code appears to have been leaked by a third party," an Intel spokesperson told Tom's Hardware. The spokesperson further added:

"We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure."

On Friday, a Twitter account going by the handle "freak" shared links to what they claimed to be the UEFI firmware source code for Intel Alder Lake. User "freak" stated that the code was made available by 4chan. The link directed users to the "ICE TEA BIOS" GitHub repository, which was uploaded by user "LCFCASD."

This repository included what was described as the 'BIOS Code from project C970.' The file reportedly included a number of sub files, as well as source code, private keys, change logs, and compilation tools. The most recent date on the files was 9/30/22, which is probably when a hacker or insider downloaded the data.

According to Bleeping Computer, Insyde Software Corp., a company that specialises in the production of UEFI system firmware, created all of the source code. The compromised source code includes a number of references to Lenovo, such as code for integrating with services like "Lenovo String Service," "Lenovo Secure Suite," and "Lenovo Cloud Service."

The GitHub repository where the source code was first made available has now been removed, although users may still access it via other replicated versions.

There are indications that the repository was made by a worker at LC Future Center, a Chinese ODM that produces laptops for several manufacturers, including Lenovo.

The Intel spokesperson told Tom's Hardware that the leaked code is covered under the Project Circuit Breaker campaign's bug bounty programme, and that the company encourages any researchers who may find potential vulnerabilities to bring them to Intel's notice via this programme. Intel's bug bounty programme awards researchers for reporting security flaws in Intel products. The reward ranges from $500 to $100,000 depending on the severity of the issue.

The identity of the person who leaked the code and how the code was stolen have not been revealed by Intel.

Although Intel has downplayed the security risks posed by the source code leak, security experts warned that the leak might make it easier to uncover weaknesses in the code.

Mark Ermolov, a hardware researcher with Positive Technologies, claimed to have discovered hidden MSRs (Model Specific Registers) and a private signing key used by Intel's Boot Guard in the code.

MSRs are normally reserved for privileged code, and as a result, they might pose a threat to the system's security.

Sam Linford, VP EMEA Channels at Deep Instinct, commented: "The theft of source code is an extremely scary prospect for organisations and can open the door to cyberattacks. Source code holds massive value to cyber criminals as it is part of a company's intellectual property."

"Stolen source code can be used by threat actors to find and exploit security vulnerabilities within an organisation's product, some of which are unknown to the business itself."

"Cyber criminals are always looking for new techniques or vulnerabilities in order to catch security teams off guard. Incidents like this, where stolen source code could be used to launch cyberattacks, shows us that it is crucial that we start looking towards a prevention-first mindset."