Monday, October 10th 2022

Intel Confirm Alder Lake UEFI/BIOS Source Code Leak

Intel Alder Lake source code for BIOS/UEFI building and optimization has been leaked in a massive 6 GB leak that appeared on 4chan and GitHub. While this number may seem small, it is a colossal codebase, given that the regular code files take up small space. We assume that the documentation is bundled there as well, however, we can not check ourselves as the repository has been taken down. Tom's Hardware has contacted an Intel representative to talk about the code leak and the rep issued a statement for the website.
Intel SpokespersonOur proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.
While we don't know exactly who made the source code public, assumptions led to Chinese vendors creating software for Lenovo. There are no direct accusations, and Intel hasn't stated who is to blame, so we have to wait for further information.
Source: Tom's Hardware
Add your own comment

24 Comments on Intel Confirm Alder Lake UEFI/BIOS Source Code Leak

#1
Crackong
Some PR team put the wrong file in the 'Another Day another Intel Leak' Folder ?
Posted on Reply
#2
Chaitanya
CrackongSome PR team put the wrong file in the 'Another Day another Intel Leak' Folder ?
Rather another day another leak. Far too many breaches these days with these companies.
Posted on Reply
#3
GoldenX
So, AVX-512 toggles when.
Posted on Reply
#4
bug
While this number may seem small, it is a colossal codebase
Why would that seem small? Was the code leaked in 4k HDR uncompressed format?
Posted on Reply
#5
marios15
Well....if this includes microcode...meltdown is going to be back
Posted on Reply
#6
Unregistered
GoldenXSo, AVX-512 toggles when.
Unlockable multipliers!
#7
zlobby
What cyberdefense doing?
Posted on Reply
#8
Ownedtbh
zlobbyWhat cyberdefense doing?
for something that is way older than 10 years?
Posted on Reply
#9
Vayra86
zlobbyWhat cyberdefense doing?
Keeping busy :)
Posted on Reply
#10
zlobby
Vayra86Keeping busy :)
Ah, a NAFO fella! :cool:
Posted on Reply
#11
Vayra86
Just caught the last line in that article.

'While we don't know exactly who made the source code public, assumptions led to Chinese vendors creating software for Lenovo. There are no direct accusations, and Intel hasn't stated who is to blame, so we have to wait for further information'

Oh boy, Superfish V2, here we come
Posted on Reply
#12
TheoneandonlyMrK
This can't be good.

What's the commonality like for uefi between vendors is one question I have.
Posted on Reply
#13
bug
TheoneandonlyMrKThis can't be good.
This can be better than good. It can show the importance of security that is not built upon closed firmware and things like that. You know, things projects like Coreboot have been preaching for years.
Posted on Reply
#14
TheoneandonlyMrK
bugThis can be better than good. It can show the importance of security that is not built upon closed firmware and things like that. You know, things projects like Coreboot have been preaching for years.
I mean yes, it could push that correct agenda, but given most Aibs have been hacked at some point does it mean greater security issues for all in the short term.

I am not in security so these questions are both genuine and non confrontational IE I want to know.

Do I need to be careful about bios flashes now from OEM sources etc.

Is it worse than that in respect to this hacked knowledge allowing some serious administration level violation through simple phishing exploits etc.
Posted on Reply
#15
bug
TheoneandonlyMrKI mean yes, it could push that correct agenda, but given most Aibs have been hacked at some point does it mean greater security issues for all in the short term.

I am not in security so these questions are both genuine and non confrontational IE I want to know.

Do I need to be careful about bios flashes now from OEM sources etc.

Is it worse than that in respect to this hacked knowledge allowing some serious administration level violation through simple phishing exploits etc.
The first thing you could do, would be to modify the UEFI itself, or some firmware module it uses. But then, you'd need a way to install that on a machine to compromise it. Most people update their UEFI from the motherboard's manufacturer's site. And you get newer firmware modules through Windows or Linux updates. While I'm sure someone will find a way to do just that, I expect the damage to be limited to users that get their updates from questionable sources. I.e., very limited.

But I'm no security expert, let's wait and see what they have to say.
Posted on Reply
#16
zlobby
bugThe first thing you could do, would be to modify the UEFI itself, or some firmware module it uses. But then, you'd need a way to install that on a machine to compromise it. Most people update their UEFI from the motherboard's manufacturer's site. And you get newer firmware modules through Windows or Linux updates. While I'm sure someone will find a way to do just that, I expect the damage to be limited to users that get their updates from questionable sources. I.e., very limited.

But I'm no security expert, let's wait and see what they have to say.
Many UEFI have OS interfaces to push blobs to them. Or worse, there are undocumented ways to push new code (even unsigned one) to UEFI, without the users even knowing.
Posted on Reply
#17
bug
zlobbyMany UEFI have OS interfaces to push blobs to them.
Of course they do, that's how you get new firmware through Windows or Linux update.
zlobbyOr worse, there are undocumented ways to push new code (even unsigned one) to UEFI, without the users even knowing.
Idk about undocumented means, but it's not like users are too aware when they get a firmware update anyway. Luckily, that's what makes them likely to be using the default update channels: they don't know how to mess with that.
That changes if the users click on "install this asap for added security" email they got from an innocent bystanders. But you can't save those users anyway.
Posted on Reply
#18
mechtech
"Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities"

But is it possible??
Posted on Reply
#19
zlobby
bugOf course they do, that's how you get new firmware through Windows or Linux update.

Idk about undocumented means, but it's not like users are too aware when they get a firmware update anyway. Luckily, that's what makes them likely to be using the default update channels: they don't know how to mess with that.
That changes if the users click on "install this asap for added security" email they got from an innocent bystanders. But you can't save those users anyway.
Every update that you didn't get from an official source and you didn't deploy it yourself is a security risk.
I for one prefer to be able to update UEFI only from one place, needing the physical presence of moir.
Posted on Reply
#20
natr0n
hacked optimizations perhaps
Posted on Reply
#21
Dyatlov A
Maybe we can adjust SA voltage for non K processors after this?
Posted on Reply
#22
zlobby
Dyatlov AMaybe we can adjust SA voltage for non K processors after this?
Only if you put your order in the log, comrade?

3.6V. Not great, not terrible.
Posted on Reply
#23
PapaTaipei
We do not believe this exposes any new security vulnerabilities

The key word here is "BELIVE"...
Posted on Reply
#24
R-T-B
marios15Well....if this includes microcode...meltdown is going to be back
If they were relying on security through obscurity maybe. Nobody does that anymore though. This should make little difference, and maybe even help the overall security.
PapaTaipeiWe do not believe this exposes any new security vulnerabilities

The key word here is "BELIVE"...
Believe. And That's all you can ever do when predicting the future.
mechtechBut is it possible??
Anything is possible. But they'd have to be doing some seriously bad practice for it to make things worse.
zlobbyMany UEFI have OS interfaces to push blobs to them. Or worse, there are undocumented ways to push new code (even unsigned one) to UEFI, without the users even knowing.
Those loopholes are closed on most modern builds by vendors these days, at least for unsigned code. There was a big push to eliminate that a year or so ago. And thank god, because UEFI malware was on the cusp of becoming a real issue...
TheoneandonlyMrKI mean yes, it could push that correct agenda, but given most Aibs have been hacked at some point does it mean greater security issues for all in the short term.
Not likely.
Posted on Reply
Add your own comment
Dec 22nd, 2024 23:38 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts