Intel confirms Alder Lake chip source code leak

Chip-maker Intel has reportedly confirmed that its 'Alder Lake BIOS' source code has been leaked by a third-party on anonymous imageboard website 4chan and Microsoft-owned open-source developer platform GitHub. The published content contains Unified Extensible Firmware Interface (UEFI) code for Alder Lake, the company's 12th generation processors that were originally launched in November 2021. 

The BIOS/UEFI source code is responsible for initializing the hardware even before the operating system has the chance to load. The BIOS plays an important role in any computer, so it may pose danger to users when the source code goes in the hands of nefarious threat actors. 

Initially, it was uncertain whether the leaked file was a big deal, but Intel itself has now confirmed that to be the case. In a statement issued to Tom’s Hardware, Intel said, “Our proprietary UEFI code appears to have been leaked by a third party. The leak doesn't expose any new security vulnerabilities as we do not rely on obfuscation of information as a security measure." 

According to Intel, this code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them to our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.” 

Intel’s statement implies that the most sensitive data had already been scrubbed from the source code before it was released to external partners. The source code contains many references to Lenovo, including “Lenovo String Service,” “Lenovo Cloud Service,” and “Lenovo Secure Suite.”  

Hardware expert, Mark Ermolov tweeted that "if correct, this could be serious since Boot Guard provides the hardware Root of Trust for the system and is a vital part of the UEFI secure boot mechanism. That means whoever has the private signing key now could successfully digitally sign a malicious or altered BIOS image for Alder Lake systems and have the machines accept that unofficial version".

A report by Bleeping Computer noted that all of the code was developed by Insyde Software Corp. Also, GitHub repository has since been taken down, although it remains accessible via other replicated versions, it informed. That said, indications are that the repository had been created by an employee of LC Future Center, a Chinese manufacturer of computers and laptops. 

Earlier this February, the LAPSUS$ extortionist group leaked sensitive and valuable source code from Samsung and Nvidia, siphoning 1terabyte (TB) of sensitive data from the latter. The threat actor later claimed that the company had launched a retaliatory ransomware strike to prevent the release of the stolen data.