Intel has confirmed that a resource code leak for the UEFI BIOS of Alder Lake CPUs is authentic, boosting cybersecurity fears with researchers.
Alder Lake is the identify of Intel’s 12th technology Intel Core processors, unveiled in November 2021.
On Friday, a Twitter user named ‘freak’ posted one-way links to what was mentioned to be the supply code for Intel Alder Lake’s UEFI firmware, which they claim was unveiled by 4chan.
The website link led to a GitHub repository named ‘ICE_TEA_BIOS’ that was uploaded by a person named ‘LCFCASD.’ This repository contained what was described as the ‘BIOS Code from challenge C970.’
The leak contains 5.97 GB of information, source code, non-public keys, adjust logs, and compilation instruments, with the most up-to-date timestamp on the information currently being 9/30/22, most likely when a hacker or insider copied the data.
BleepingComputer has been instructed that all the source code was produced by Insyde Program Corp, a UEFI program firmware development corporation.
The leaked source code also incorporates many references to Lenovo, together with code for integrations with ‘Lenovo String Service’, ‘Lenovo Protected Suite’, and ‘Lenovo Cloud Assistance.’
At this time, it is unclear whether or not the resource code was stolen through a cyberattack or leaked by an insider.
Having said that, Intel has confirmed to Tom’s Hardware that the supply code is genuine and is its “proprietary UEFI code.”
“Our proprietary UEFI code appears to have been leaked by a 3rd party. We do not think this exposes any new protection vulnerabilities as we do not rely on obfuscation of information and facts as a stability measure. This code is included under our bug bounty program inside of the Task Circuit Breaker marketing campaign, and we inspire any researchers who could discover possible vulnerabilities to bring them our focus by way of this plan. We are achieving out to both of those consumers and the security analysis neighborhood to maintain them informed of this situation.” – Intel spokesperson.
Stability scientists worried
While Intel has downplayed the safety pitfalls of the supply code leak, safety researchers alert that the contents could make it easier to locate vulnerabilities in the code.
“The attacker/bug hunter can vastly reward from the leaks even if leaked OEM implementation is only partly utilized in the output,” describes hardware safety organization Hardened Vault.
“The Insyde’s remedy can aid the stability scientists, bug hunters (and the attackers) come across the vulnerablity and understand the consequence of reverse engineering simply, which adds up to the long-phrase significant threat to the buyers.”
Favourable Systems hardware researcher Mark Ermolov also warned that the leak involved a KeyManifest personal encryption important, a non-public important utilized to protected Intel’s Boot Guard system.
Even though it is not apparent if the leaked non-public essential is employed in generation, if it is, hackers could likely use it to modify the boot plan in Intel firmware and bypass hardware stability.
BleepingComputer has contacted Intel, Insyde, and Lenovo with thoughts about the leak and regardless of whether the private keys had been used in output.
We will update this post with any responses as we find out much more.