Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake CPUs is authentic, raising cybersecurity concerns with researchers.
Alder Lake is the name of Intel's 12th generation Intel Core processors, released in November 2021.
On Friday, a Twitter user named 'freak' posted links to what was said to be the source code for Intel Alder Lake's UEFI firmware, which they claim was released by 4chan.
The link led to a GitHub repository named 'ICE_TEA_BIOS' that was uploaded by a user named 'LCFCASD.' This repository contained what was described as the 'BIOS Code from project C970.'
The leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools, with the latest timestamp on the files being 9/30/22, likely when a hacker or insider copied the data.
BleepingComputer has been told that all the source code was developed by Insyde Software Corp, a UEFI system firmware development company.
The leaked source code also contains numerous references to Lenovo, including code for integrations with 'Lenovo String Service', 'Lenovo Secure Suite', and 'Lenovo Cloud Service.'
At this time, it is unclear whether the source code was stolen during a cyberattack or leaked by an insider.
However, Intel has confirmed to Tom's Hardware that the source code is authentic and is its "proprietary UEFI code."
"Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation." - Intel spokesperson.
Security researchers concerned
While Intel has downplayed the security risks of the source code leak, security researchers warn that the contents could make it easier to find vulnerabilities in the code.
"The attacker/bug hunter can hugely benefit from the leaks even if leaked OEM implementation is only partially used in the production," explains hardware security firm Hardened Vault.
"The Insyde’s solution can help the security researchers, bug hunters (and the attackers) find the vulnerablity and understand the result of reverse engineering easily, which adds up to the long-term high risk to the users."
Positive Technologies hardware researcher Mark Ermolov also warned that the leak included a KeyManifest private encryption key, a private key used to secure Intel's Boot Guard platform.
While it is not clear if the leaked private key is used in production, if it is, hackers could potentially use it to modify the boot policy in Intel firmware and bypass hardware security.
BleepingComputer has contacted Intel, Insyde, and Lenovo with questions about the leak and whether the private keys were used in production.
We will update this article with any responses as we learn more.
Comments
h_b_s - 1 year ago
Indeed, the Achilles heel of private/public keys is the integrity of the private key. If that key can't be successfully revoked for any reason at all then it's worse than if you never depended on it to begin with. The reason is that security software will now give false security assurances and may bypass any other security walls (including user interventions) in the mistaken belief the signed file is legitimate.
It's premature to know if these keys are really that sensitive without definitive proof of what, if anything, accepts them as valid in practice.