A source code leak involving a recent Intel chip may have compromised some layers of security for the company’s main line of consumer-end processors that date back to 2014. Source code for the Intel Alder Lake BIOS, complete with assorted documentation, was posted by an anonymous party to the 4Chan message board and has since spread through GitHub.
Intel has confirmed that the leak is legitimate, and it could potentially create security issues for the company’s recent line of desktop, laptop and embedded device processors. There is no indication yet that the Xeon server line has been impacted, however.
Source code leak came from unknown party, signs indicate it originates from a Lenovo contractor
No one has stepped forward to take credit for the Intel Alder Lake breach, opting to make full use of the anonymity of 4Chan. There also does not appear to be a financial motive, with the attacker simply dumping the source code leak to the public with no fanfare or follow-up.
There are some strong indications as to where the source code leak originated from, however. A Github account appeared hosting the Intel Alder Lake files at about the same time the 4Chan post was made, and that account appeared to belong to an employee of a Chinese laptop manufacturing outfit called LC Future Center. This company contracts with several laptop brands, including Lenovo. Files that specifically reference Lenovo BIOS manufacturer inside software and that refer to Lenovo-specific test information provide a strong indication that the Intel Alder Lake files somehow escaped from this particular manufacturer production environment.
Though the leak focuses on Intel Alder Lake, the included information potentially impacts a full range of 4th generation retail chips going back to 2014. Unfortunately, there are no patches or remediation measures officially available as of yet; the only real option for those that are concerned about the impact of the source code leak is a third-party firmware security addition of some manner.
Intel Alder Lake & 4th Gen chips impacted, but security vulnerabilities may not be broad
The Intel Alder Lake files contain nearly 6 GB of information in a zip file, most of that the BIOS source code leak. Assorted tools and documentation are included, some of which present potential security problems should threat actors discover the right elements.
Some elements that have already been uncovered by security researchers may already be exploitable. An assortment of private keys, model specific registers (MSRs) and Authenticated Code Modules (ACMs) have been found, which could provide pathways to potential vulnerabilities in Intel Alder Lake or other 4th gen chips. Intel is downplaying the impact, however, saying that it does not use a “security through obscurity” approach and that opportunities available to attackers will be limited. It also encouraged security researchers to submit anything they find to its Project Circuit Breaker bug bounty program, which pays out up to $100,000 per vulnerability.
The single layer of security that appears to be most at risk is the optional Intel Boot Guard, a feature found throughout the 4th generation chips. When enabled, a discrete boot ROM on compatible motherboards verifies the firmware signature before allowing the BIOS to load. Researchers have discovered a private signing key, however, which could essentially render the feature useless.
The amount of damage the source code leak will ultimately do depends on how thorough Intel is in scrubbing sensitive data before sending it to external vendors.