Close-up of CPU chip showing source code leak of Intel Alder Lake

Intel Alder Lake Source Code Leak Caused by Third Party, Boot Guard at Risk of Compromise

A copy of the Intel Alder Lake BIOS posted to 4Chan has been confirmed as legitimate by the chip manufacturer, and the source code leak has raised security concerns. Among the proprietary information that security researchers have unearthed is inside documentation of Intel Boot Guard, a feature that has been present since the 4th Intel Core generation (the “Haswell” processors that debuted in 2014) and provides an optional layer of malware protection.

Intel Alder Lake leak confirmed, includes source code and proprietary information

The Intel Alder Lake leak first appeared as a 2.8 GB zip (expanding to 5.86 GB) posted by an unknown party to the anonymous-by-design message board 4Chan. It was initially unclear if the leak contained any proprietary or inside information, but Intel has since confirmed that it is a genuine source code leak.

The Intel Alder Lake processor was released in late 2021, but the secrets revealed by this internal documentation and code potentially stretch back through the entire 4th Intel Core generation. In addition to the source code leak the zip file contains numerous tools meant for building BIOS for the platform, along with private keys and Authenticated Code Modules (ACMs) used for security purposes.

It is now clear that the source code leak provides enough information to potentially develop exploits for Intel Alder Lake and other fairly recent chips from the company, though the possibilities may be somewhat limited due to Intel’s security approach. Intel has stated that the source code leak does not reveal any new vulnerabilities, and that the company does not rely on obfuscation of information as a security measure. That said, that statement does not preclude the possibility that the numerous parties now poring over the code might hit upon something to exploit; to that end, Intel also encouraged submissions to its Project Circuit Breaker bug bounty program.

Security researcher Mark Ermolov is one of those conducting a deep dive into the Intel Alder Lake file dump, and his findings thus far indicate that certain particular aspects of chip security are at risk. A private signing key for Intel Boot Guard was apparently included in the source code leak, meaning that the feature could now be entirely broken if this particular key is used in production. Boot Guard makes use of a dedicated boot ROM on the motherboard that must verify a firmware signature before it will allow the boot process to initiate, guarding against malware and attacks that involve altering the core firmware. Boot Guard is optional, but is sometimes enabled by default by vendors.

What may be of greater concern is the discovery of model specific registers (MSRs) that are used by particular vendors; the documentation for these is not supposed to make it out to the public due to the potential to use it to develop vulnerabilities.

Project Circuit Breaker also may not end up keeping any new vulnerabilities that are discovered out of the wild, as it pays only a maximum of $100,000 per bug; “black hats” would likely get more selling it privately or even directly exploiting it. But there may not be much else to discover, as all indications are that this leak came from an external vendor, and that Intel scrubs key information from the Intel Alder Lake files before they are provided to vendors.

Who was behind the source code leak?

It’s still not totally clear who was responsible for the Intel Alder Lake source code leak, beyond Intel confirming that a “third party” was responsible. Breadcrumbs of clues have created trails back to certain parties, however.

The first is the creator of the original GitHub account that hosted the source code leak (since taken down, but numerous copies have been made). It appeared to be an employee of a China-based laptop manufacturer called LC Future Center that contracts with Lenovo to produce some of its models. The source code leak also included a file containing “Lenovo Feature Tag Test Information” and other references to Lenovo BIOS supplier Insyde Software. All of that said, the actual source of the Intel Alder Lake leak has yet to be confirmed.

The Intel Alder Lake #dataleak first appeared as a 2.8 GB zip (expanding to 5.86 GB) posted by an unknown party to 4Chan. Intel has since confirmed that it is a genuine #sourcecode leak. #cybersecurity #respectdataClick to Tweet

The pilfered information on the Intel Alder Lake line, and the related 4th gen chips the source code leak impacts, is primarily a threat to desktop, mobile and certain embedded systems; at this time it does not appear to be a direct threat to the Intel Xeon line commonly used in servers, but there is always a possibility of shared firmware code base between server and client. The incident is still in the investigation stages, with no word yet of patching or remediation measures for impacted hardware. Until more is known about the exact scope of the risk there is little remediation action that makes sense at this time, save for possibly adding some sort of third-party firmware security solution.