We recently broke the news that Intel’s Alder Lake BIOS source code had been leaked to 4chan and Github, with the 6GB file containing tools and code for building and optimizing BIOS/UEFI images. We reported the leak within hours of the initial occurrence, so we didn’t yet have confirmation from Intel that the leak was genuine. Intel has now issued a statement to Tom’s Hardware confirming the incident:
“Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.” — Intel spokesperson.
The BIOS/UEFI of a computer initializes the hardware before the operating system has loaded, so among its many responsibilities, is establishing connections to certain security mechanisms, like the TPM (Trusted Platform Module). Now that the BIOS/UEFI code is in the wild and Intel has confirmed it as legitimate, both nefarious actors and security researchers alike will undoubtedly probe the it to search for potential backdoors and security vulnerabilities.
In fact, famed security researcher Mark Ermolov has already been hard at work analyzing the code. His early reports indicate that he has found secret MSRs (Model Specific Registers) that are typically reserved for privileged code and thus can present a security problem, along with the private signing key used for Intel’s Boot Guard, thus potentially invalidating the feature. In addition, there are also signs of ACMs (Authenticated Code Modules) for BootGuard and TXT.
I can’t believe: NDA-ed MSRs, for the newest CPU, what a good day… pic.twitter.com/bNitVJlkkLOctober 8, 2022
The impact and breadth of discoveries could be limited, though. Most motherboard vendors and OEMs would have similar tools and information available to build firmware for Intel platforms. Moreover, Intel’s statement that it doesn’t rely upon information obfuscation as a security measure means it has likely scrubbed the most overly-sensitive material before releasing it to external vendors.
Intel is being proactive, though, and encouraging researchers to submit any vulnerabilities they find to its Project Circuit Breaker bug bounty program, which awards between $500 to $100,000 per bug, depending on the reported issue’s severity. It’s unclear if the code can indirectly benefit open-source groups like Coreboot,
Intel hasn’t confirmed who leaked the code or where and how it was exfiltrated. However, we do know that the GitHub repository, now taken down but already replicated widely, was created by an apparent LC Future Center employee, a China-based ODM that manufactures laptops for several OEMs, including Lenovo. Additionally, one of the leaked documents refers to “Lenovo Feature Tag Test Information,” furthering the theories of the link between the company and the leak. There are also a plethora of files labeled ‘Insyde,’ referring to Insyde Software, a company that provides BIOS/UEFI firmware to OEMs and is known to work with Lenovo.
We aren’t aware of any attempts at ransom yet, but Intel or the affected parties might not have made those attempts public. Conversely, this could simply be the case of an employee inadvertently posting the source code to a public repository.
However, recent hacks have targeted outside vendors to indirectly steal information from semiconductor manufacturers, thus enabling ransom attempts, and this attack could follow that model. A spate of recent attacks includes an attempt by RansomHouse to extort AMD after it obtained 56GB of data. AMD partner Gigabyte also had 112 GB of sensitive data stolen in the infamous ‘Gigabyte Hack,’ but AMD refused to pay the ransom for the latter hack. As a result, information about AMD’s forthcoming Zen 4 processors was divulged before launch, which later proved genuine.
Nvidia also suffered a recent attack that resulted in the theft of 1TB of its data, but the GPU-making giant retaliated with its own operations to render the stolen data useless.
We’ll update this article if any new details emerge.