Intel Confirms Alder Lake BIOS Source Code Leak, New Details Emerge

Stock image of a digital skull in code
(Image credit: Shutterstock)

We recently broke the news that Intel's Alder Lake BIOS source code had been leaked to 4chan and Github, with the 6GB file containing tools and code for building and optimizing BIOS/UEFI images. We reported the leak within hours of the initial occurrence, so we didn't yet have confirmation from Intel that the leak was genuine. Intel has now issued a statement to Tom's Hardware confirming the incident:

"Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation." — Intel spokesperson. 

The BIOS/UEFI of a computer initializes the hardware before the operating system has loaded. Among its many responsibilities, the BIOS establishes connections to certain security mechanisms, like the TPM (Trusted Platform Module). Now that the BIOS/UEFI code is in the wild and Intel has confirmed it as legitimate, both nefarious actors and security researchers alike will undoubtedly probe it to search for potential backdoors and security vulnerabilities. 

In fact, famed security researcher Mark Ermolov has already been hard at work analyzing the code. His early reports indicate that he has found secret MSRs (Model Specific Registers) that are typically reserved for privileged code and thus can present a security problem, along with the private signing key used for Intel's Boot Guard, thus potentially invalidating the feature. In addition, there are also signs of ACMs (Authenticated Code Modules) for BootGuard and TXT (Trusted Execution Technology), portending potential future issues with the root of trust. 

See more

The impact and breadth of discoveries could be limited, though. Most motherboard vendors and OEMs would have similar tools and information available to build firmware for Intel platforms. Moreover, Intel's statement that it doesn't rely upon information obfuscation as a security measure means it has likely scrubbed the most overly-sensitive material before releasing it to external vendors.

Intel is being proactive, though, and encouraging researchers to submit any vulnerabilities they find to its Project Circuit Breaker bug bounty program, which awards between $500 to $100,000 per bug, depending on the reported issue's severity. It's unclear if the code can indirectly benefit open-source groups like Coreboot. 

Intel hasn't confirmed who leaked the code or where and how it was exfiltrated. However, we do know that the GitHub repository, now taken down but already replicated widely, was created by an apparent LC Future Center employee, a China-based ODM that manufactures laptops for several OEMs, including Lenovo. Additionally, one of the leaked documents refers to "Lenovo Feature Tag Test Information," furthering the theories of the link between the company and the leak. There are also a plethora of files labeled 'Insyde,' referring to Insyde Software, a company that provides BIOS/UEFI firmware to OEMs and is known to work with Lenovo. 

We aren't aware of any attempts at ransom yet, but Intel or the affected parties might not have made those attempts public. Conversely, this could simply be the case of an employee inadvertently posting the source code to a public repository.

However, recent hacks have targeted outside vendors to indirectly steal information from semiconductor manufacturers, thus enabling ransom attempts, and this leak could follow that model. A spate of recent attacks includes an attempt by RansomHouse to extort AMD after it obtained 56GB of data. AMD partner Gigabyte also had 112 GB of sensitive data stolen in the infamous 'Gigabyte Hack,' but AMD refused to pay the ransom for the latter hack. As a result, information about AMD's forthcoming Zen 4 processors was divulged before launch, which later proved genuine.

Nvidia also suffered a recent attack that resulted in the theft of 1TB of its data, but the GPU-making giant retaliated with its own operations to render the stolen data useless.

We'll update this article if any new details emerge. 

Paul Alcorn
Managing Editor: News and Emerging Tech

Paul Alcorn is the Managing Editor: News and Emerging Tech for Tom's Hardware US. He also writes news and reviews on CPUs, storage, and enterprise hardware.

  • coromonadalix
    Can't understand why in 2022 with all of this kind of events, companies will not be better prepared ... always seem a cost issue to implement more securities ... in the end the customer receive all the problems with products who became less and less secure
    Reply
  • pgde
    Seems to me since the code was leaked by one of the AIB partners (probably Lenovo in China), that person had elevated access to the code. Can't really protect against that IMO.
    Reply
  • shawman123
    Open source code is not less secure. There are greater set of eyes on the code revealing more issues.
    Reply
  • rluker5
    Bios update incoming.
    Reply
  • LastStanding
    pgde said:
    Seems to me since the code was leaked by one of the AIB partners (probably Lenovo in China), that person had elevated access to the code. Can't really protect against that IMO.

    My thoughts exactly but many sites still refuses to cover this very concerning story (shocking, right) buuuut... many so-called tech (only in their name ;)) "dictator" site staff are protecting such conversations as branded "low-quality" to protect and secure their stance so they could keep receiving those free-samples and extra perks from those very same unethical questionable companies, in my opinion.

    The rule of thumb is - high-risk leaks/infiltrations = 98.9999% an inside job!
    Reply
  • cryoburner
    Nvidia also suffered a recent attack that resulted in the theft of 1TB of its data, but the GPU-making giant retaliated with its own operations to render the stolen data useless.
    How was the data rendered useless? Even according to that article, the hacking group claimed to have a backup of the data, which shouldn't even have to be said for an organized extortion group holding stolen data likely valued at millions of dollars. It seems unlikely that they would have actually lost access to it.
    Reply
  • Archemedian
    Does this not seem like a blatant purposeful leak to see if it would be beneficial to be open source in the future? Or like, an attempt to get the benefits of open source while still retaining the ability to sue whomever they want if they use the code for say, coreboot..... Their official statement seemed more like a request to secure the platform more than address the leak
    Reply
  • Fates_Demise
    coromonadalix said:
    Can't understand why in 2022 with all of this kind of events, companies will not be better prepared ... always seem a cost issue to implement more securities ... in the end the customer receive all the problems with products who became less and less secure
    Because there are about a million times more hackers
    coromonadalix said:
    Can't understand why in 2022 with all of this kind of events, companies will not be better prepared ... always seem a cost issue to implement more securities ... in the end the customer receive all the problems with products who became less and less secure
    Because its 10x easier to break a door down than build one. There are far more hackers in the world than security design people working for any single company.
    Any company trying to fully stop hacking would have to spend billions, only to find out it still wouldn't work and the only true way to keep data in is having zero access to the net.
    Reply
  • Fates_Demise
    Archemedian said:
    Does this not seem like a blatant purposeful leak to see if it would be beneficial to be open source in the future? Or like, an attempt to get the benefits of open source while still retaining the ability to sue whomever they want if they use the code for say, coreboot..... Their official statement seemed more like a request to secure the platform more than address the leak
    They addressed the leak just fine, patched the hole, not worried about any issues with the leaked info but just in case anyone finds something we are offering a reward so we can fix it.
    Pretty straightforward to me.
    Reply
  • Archemedian
    cryoburner said:
    How was the data rendered useless? Even according to that article, the hacking group claimed to have a backup of the data, which shouldn't even have to be said for an organized extortion group holding stolen data likely valued at millions of dollars. It seems unlikely that they would have actually lost access to it.
    Google is your friend, took me 5 seconds to research his claim...

    1497627779755438083View: https://twitter.com/BrettCallow/status/1497627779755438083
    Reply