Intel has confirmed that its proprietary UEFI code for its 12th Gen processors has been leaked. The 6GB file, published to 4chan and Github, contains information regarding the creation and optimisation of BIOS code for Alder Lake chips, however, Intel does not suspect this will expose any new security vulnerabilities.
The source code to the Intel Alder Lake has been leaked online.* Alder Lake CPU was released November 4, 2021* Source code is 2.8GB (compressed)* Leak (allegedly) from 4chan* We have not reviewed the entirety of the code base, it is massiveOctober 8, 2022
“Our proprietary UEFI code appears to have been leaked by a third party,” an Intel spokesperson says to Tom’s Hardware (opens in new tab).
“We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.”
It appears as though Intel’s strategy is to avoid having any ‘secret code’ as a part of its processor security. I imagine that’s to primarily avoid a situation like this one today, where said code could, if in the wrong hands, make mincemeat of its processor security. The company does sound quite confident that this leak shouldn’t pose any security threat as a result.
Intel’s statement suggests a third party is responsible for the files getting out there, rather than a hack of its own internal systems. As Twitter user SttyK (opens in new tab) and the Tom’s Hardware report note, the Github repository was created by an employee at LC Future Center, a China-based laptop manufacturer, and parts of the code mention Lenovo, one of LC Future Center’s clients. However, this connection has not been confirmed by Intel or elsewhere.
The exposed UEFI files will still cause concern to security researchers, even if ultimately Intel feels its CPUs will still be safe from nefarious actors. The UEFI works in tandem with the OS to deliver on fundamental security principles within Windows and to ensure that exploits don’t gain access to private information. It already appears that security researchers are paying close attention to the leaked files to see what they can uncover.
Those that uncover any vulnerabilities in the code may be in line for a cash reward, too. Intel mentions that the code is covered by its Project Circuit Breaker campaign, which is another name for its bug bounty program. There’s a specific “Code Challenge” in place for this particular BIOS leak. It’s called “Alders & Seekers (opens in new tab)”.
“Due to the unauthorized disclosure of Intel’s proprietary UEFI code for Alder Lake we are opening the private Alders & Seekers bug bounty campaign to all security researchers. In addition, we have extended the end date of this campaign from October 15, 2022 to 9AM US eastern time on January 20, 2022. The standard Intel(R) Bug Bounty Program policy applies to this campaign.”
So if there are any holes in Alder Lake’s security that arise from this leak, here’s hoping they’ll be patched up before they’re more widespread as a result of the bug bounty. These programs can pay handsomely, depending on the severity of the bug, which often attracts some skilled security experts into helping out.
In the meantime, this shouldn’t be cause of any immediate concern for PC gamers rocking an Intel Core i9 12900K or other 12th Gen processor. So don’t fret. If there is any such cause for concern in the future, making sure you’ve kept your system up to date and running the latest mitigations will often prove the best defence against these sorts of exploits.