Intel’s Security At Stake as Alder Lake BIOS Source Code Leaks Online

Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.”

The source code for Intel’s Alder Lake BIOS allegedly leaked onto 4chan by an unidentified person, and it now seems that a duplicate copy has been shared on GitHub.

The files are in a 2.8 GB zip file, which after decompression grows to 5.86 GB.No official/reputable source has confirmed the authenticity of the leaked files. The alleged leak was revealed by tweets from @glowingfreak. 

The source code to the Intel Alder Lake has been leaked online.

* Alder Lake CPU was released November 4, 2021
* Source code is 2.8GB (compressed)
* Leak (allegedly) from 4chan
* We have not reviewed the entirety of the code base, it is massive

— vx-underground (@vxunderground) October 8, 2022

The file appears to contain a large number of data and tools designed for creating a BIOS/UEFI for the Alder Lake platform and chipsets from Intel. Although it’s unclear how the files were obtained, one of them does mention “Lenovo Feature Tag Test Information.” The git log has also revealed a few further hints. 

Even if it is established that the files include critical information, it is unknown if they might be utilised to create exploits, especially if they came from a source other than Intel. It’s simple to imagine that the majority of motherboard manufacturers and original equipment manufacturers (OEMs) would have access to tools and information similar to these for developing firmware for Intel platforms, and Intel would probably scrub any excessively sensitive material before making it available to external vendors.

Having said that, having sensitive information in the hands of malicious users is never a good thing, and even tiny amounts of information can create significant vulnerabilities. particularly when it concerns security mechanisms

Despite the fact that we are unsure of how the files were obtained, recent attacks have targeted outside vendors to steal data from semiconductor makers covertly, facilitating ransom efforts.

In the recent wave of attacks, RansomHouse made an effort to blackmail AMD after obtaining 56GB of data. In the infamous “Gigabyte Hack,” AMD partner Gigabyte also had 112 GB of private information taken, although AMD declined to pay the ransom for that hack. As a result, details about AMD’s upcoming Zen 4 processors were leaked before to introduction, which eventually turned out to be accurate.

A recent attack on NVIDIA also resulted in the loss of 1TB of company data, but the industry behemoth in GPU production responded by destroying the stolen data with its own procedures.

We don’t have any additional information about the alleged Intel leak but we will update you as soon as we recieve any official statement.