It’s official – Intel Alder Lake BIOS source code has been leaked and Intel has confirmed it. A total of 6 GB of code used to create the BIOS/UEFI source code is now available in the wild, having been published on GitHub and 4chan.
Intel doesn’t seem too concerned, but security researchers are now hard at work seeing if it can be used maliciously. If you own an Alder Lake CPU, should you be worried?
Can’t believe: NDA-ed MSRs, for the latest processor, what a great day… pic.twitter.com/bNitVJlkkL
— Mark Ermolov (@_markel___) October 8, 2022
News of the leak broke a few days ago when the code was found in a public GitHub repository, as well as shared on 4chan. The 6GB file contains some of the tools and code Intel used to create the BIOS/UEFI in its Alder Lake processors. Given that these are some of the best processors currently available, this could potentially put many Intel customers at risk.
The BIOS/UEFI source code is responsible for initializing the hardware before the operating system even has a chance to load. As such, it is responsible for establishing secure connections with important mechanisms within the computer, such as the Trusted Platform Module (TPM). BIOS plays an important role in any computer, so it is definitely not good that the source code of it can now be in the hands of nefarious malicious actors.
It was initially unclear if the leaked file was the real deal, but Intel itself has now confirmed that it is. In a statement to Tom’s Hardware, Intel said:
“Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on information obfuscation as a security measure. This code is covered by our bug bounties as part of the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them to our attention through this program. We reach out to both customers and the security research community to keep them informed of this situation.
Intel’s statement implies that the most sensitive data had already been erased from the source code before being released to external partners. The source code contains many references to Lenovo, including “Lenovo String Service”, “Lenovo Cloud Service”, and “Lenovo Secure Suite”. Bleeping Computer notes that all code was developed by Insyde Software Corp.
While this leak looks pretty bad, Intel doesn’t seem too concerned – although it’s good that it’s sending everyone back to its bug bounty program. Many security researchers are already looking for cracks in the code, and some of the findings are less optimistic.
Hardware security firm Hardened Vault told Bleeping Computer, “The attacker/bug hunter can benefit immensely from leaks, even if there is a leak. [manufacturer] the implementation is only partially used in production. Insyde’s solution can help security researchers, bug hunters (and attackers) find the vulnerability and easily understand the reverse-engineered result, adding to the high long-term risk for users. users.
Since a KeyManifest private encryption key was found in the leak, it’s possible that hackers could use it to bypass Intel’s hardware security. Even so, it’s still quite a long shot, so you probably don’t have to worry too much.
In any case, it is worth protecting yourself with anti-virus software to ensure that no attacker can gain access to your computer, and subsequently, the BIOS.
#Huge #Intel #Alder #Lake #BIOS #Leak #Put #Users #Risk #Digital #trends