Intel Confirm Alder Lake UEFI/BIOS Source Code Leak

[AleksandarK]

Intel Alder Lake source code for BIOS/UEFI building and optimization has been leaked in a massive 6 GB leak that appeared on 4chan and GitHub. While this number may seem small, it is a colossal codebase, given that the regular code files take up small space. We assume that the documentation is bundled there as well, however, we can not check ourselves as the repository has been taken down. Tom's Hardware has contacted an Intel representative to talk about the code leak and the rep issued a statement for the website.

Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.

While we don't know exactly who made the source code public, assumptions led to Chinese vendors creating software for Lenovo. There are no direct accusations, and Intel hasn't stated who is to blame, so we have to wait for further information.

View at TechPowerUp Main Site | Source

 

[Crackong]

Some PR team put the wrong file in the 'Another Day another Intel Leak' Folder ?

 

[Chaitanya]

Some PR team put the wrong file in the 'Another Day another Intel Leak' Folder ?

Rather another day another leak. Far too many breaches these days with these companies.

 

[GoldenX]

So, AVX-512 toggles when.

 

[bug]

While this number may seem small, it is a colossal codebase

Why would that seem small? Was the code leaked in 4k HDR uncompressed format?

 

[marios15]

Well....if this includes microcode...meltdown is going to be back

 

[Deleted member 185088]

So, AVX-512 toggles when.

Unlockable multipliers!

 

[zlobby]

What cyberdefense doing?

 

[Ownedtbh]

What cyberdefense doing?

for something that is way older than 10 years?

 

[Vayra86]

What cyberdefense doing?

Keeping busy

 

[zlobby]

Keeping busy

Ah, a NAFO fella!

 

[Vayra86]

Just caught the last line in that article.

'While we don't know exactly who made the source code public, assumptions led to Chinese vendors creating software for Lenovo. There are no direct accusations, and Intel hasn't stated who is to blame, so we have to wait for further information'

Oh boy, Superfish V2, here we come

 

[TheoneandonlyMrK]

This can't be good.

What's the commonality like for uefi between vendors is one question I have.

 

[bug]

This can't be good.

This can be better than good. It can show the importance of security that is not built upon closed firmware and things like that. You know, things projects like Coreboot have been preaching for years.

 

[TheoneandonlyMrK]

This can be better than good. It can show the importance of security that is not built upon closed firmware and things like that. You know, things projects like Coreboot have been preaching for years.

I mean yes, it could push that correct agenda, but given most Aibs have been hacked at some point does it mean greater security issues for all in the short term.

I am not in security so these questions are both genuine and non confrontational IE I want to know.

Do I need to be careful about bios flashes now from OEM sources etc.

Is it worse than that in respect to this hacked knowledge allowing some serious administration level violation through simple phishing exploits etc.

 

[bug]

I mean yes, it could push that correct agenda, but given most Aibs have been hacked at some point does it mean greater security issues for all in the short term.

I am not in security so these questions are both genuine and non confrontational IE I want to know.

Do I need to be careful about bios flashes now from OEM sources etc.

Is it worse than that in respect to this hacked knowledge allowing some serious administration level violation through simple phishing exploits etc.

The first thing you could do, would be to modify the UEFI itself, or some firmware module it uses. But then, you'd need a way to install that on a machine to compromise it. Most people update their UEFI from the motherboard's manufacturer's site. And you get newer firmware modules through Windows or Linux updates. While I'm sure someone will find a way to do just that, I expect the damage to be limited to users that get their updates from questionable sources. I.e., very limited.

But I'm no security expert, let's wait and see what they have to say.

 

[zlobby]

The first thing you could do, would be to modify the UEFI itself, or some firmware module it uses. But then, you'd need a way to install that on a machine to compromise it. Most people update their UEFI from the motherboard's manufacturer's site. And you get newer firmware modules through Windows or Linux updates. While I'm sure someone will find a way to do just that, I expect the damage to be limited to users that get their updates from questionable sources. I.e., very limited.

But I'm no security expert, let's wait and see what they have to say.

Many UEFI have OS interfaces to push blobs to them. Or worse, there are undocumented ways to push new code (even unsigned one) to UEFI, without the users even knowing.

 

[bug]

Many UEFI have OS interfaces to push blobs to them.

Of course they do, that's how you get new firmware through Windows or Linux update.

Or worse, there are undocumented ways to push new code (even unsigned one) to UEFI, without the users even knowing.

Idk about undocumented means, but it's not like users are too aware when they get a firmware update anyway. Luckily, that's what makes them likely to be using the default update channels: they don't know how to mess with that.
That changes if the users click on "install this asap for added security" email they got from an innocent bystanders. But you can't save those users anyway.

 

[mechtech]

"Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities"

But is it possible??

 

[zlobby]

Of course they do, that's how you get new firmware through Windows or Linux update.

Idk about undocumented means, but it's not like users are too aware when they get a firmware update anyway. Luckily, that's what makes them likely to be using the default update channels: they don't know how to mess with that.
That changes if the users click on "install this asap for added security" email they got from an innocent bystanders. But you can't save those users anyway.

Every update that you didn't get from an official source and you didn't deploy it yourself is a security risk.
I for one prefer to be able to update UEFI only from one place, needing the physical presence of moir.

 

[natr0n]

hacked optimizations perhaps

 

[Dyatlov A]

Maybe we can adjust SA voltage for non K processors after this?

 

[zlobby]

Maybe we can adjust SA voltage for non K processors after this?

Only if you put your order in the log, comrade?

3.6V. Not great, not terrible.

 

[PapaTaipei]

We do not believe this exposes any new security vulnerabilities

The key word here is "BELIVE"...

 

[R-T-B]

Well....if this includes microcode...meltdown is going to be back

If they were relying on security through obscurity maybe. Nobody does that anymore though. This should make little difference, and maybe even help the overall security.

We do not believe this exposes any new security vulnerabilities

The key word here is "BELIVE"...

Believe. And That's all you can ever do when predicting the future.

But is it possible??

Anything is possible. But they'd have to be doing some seriously bad practice for it to make things worse.

Many UEFI have OS interfaces to push blobs to them. Or worse, there are undocumented ways to push new code (even unsigned one) to UEFI, without the users even knowing.

Those loopholes are closed on most modern builds by vendors these days, at least for unsigned code. There was a big push to eliminate that a year or so ago. And thank god, because UEFI malware was on the cusp of becoming a real issue...

I mean yes, it could push that correct agenda, but given most Aibs have been hacked at some point does it mean greater security issues for all in the short term.

Not likely.