Tom’s Hardware reported a couple of days ago that the BIOS source code for Intel’s 12th gen CPU codenamed Alder Lake has been leaked online, following its release on 4chan, which appears to have been also posted on GitHub.
On Friday, a Twitter user named ‘Freak’ posted links to what is believed to be the source code for Intel Alder Lake’s UEFI firmware. The post claimed that an unknown 4chan group was responsible for this leak. The links led to a GitHub repository under the name ‘ICE_TEA_BIOS’, however, since then, the post containing the link to the GitHub repository was taken down, but allegedly has been replicated.
The leaked source code is a massive 6GB in size, which appears to have contained sensitive information regarding UEFI/BIOS building code, private keys, change logs, and compilation tools.
Intel Confirms the Leaked Source Code Is Indeed Authentic
Following this news, Tom’s Hardware reached out to Intel to confirm the legitimacy and seriousness of the leak, and in a statement issued by spokesperson on behalf of the tech giant, it is now confirmed that the leaked source code is indeed authentic.
Intel downplayed the seriousness of security concerns regarding this leaked data, but reached out to any researchers and customers who can identify any potential vulnerabilities, to “keep them informed”.
Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.Intel spokesperson.
Experts Warn Users of Potential Dangers & Exploits
Positive Technologies security researcher and system programmer Mark Ermolov is already analyzing the leaked source code, and shared his concerns over on Twitter, after having found information regarding MSRs (Model Specific Register) for Intel newest CPU, which could lead to potential security concerns.
He also found private encryption keys used to secure Intel’s Boot Guard, claiming that it can no longer be trusted, along with extracting Intel x86 microcode.
A very bad thing happened: now, the Intel Boot Guard on the vendor’s platforms can no longer be trusted… ☹️ pic.twitter.com/K5mXcp5ipW— Mark Ermolov (@_markel___) October 8, 2022
Intel has not confirmed any details regarding who is responsible for the leaked source code yet, however, the repository posted on GitHub was created by an employee of LC Future Center, a Chinese manufacturer of laptops for several OEMs.
Intel is encouraging customers and researchers to submit any vulnerabilities they may find via Project Circuit Breaker, which is a bounty program for bugs that awards between $500 to $100,000 per bug, depending on the seriousness of reported issues.
Source: Tom’s Hardware