Experts have assured that the confirmed leak of Intel's Alder Lake source code will 'most likely' not lead to any meaningful adverse impact on the security of its products, despite others branding the leak as a "scary" prospect.
According to experts who spoke to IT Pro, attackers would need access to other components to have a substantial chance of developing harmful exploits and also be able to bypass the existing protections that Intel has in place.
The trusted data centre and storage infrastructure
Invest in infrastructure modernisation to drive improved outcomes
"It is unlikely that viewing software code alone will cause a subsequent cyber security incident," said John Goodacre, director at the UKRI’s Digital Security by Design challenge and professor of Computer Architectures at Manchester University. "Much of the UEFI source code is already open source and available for third-party use and inspection.
"Proprietary initialisation and configuration code can make it easier to understand potential attack vectors, but with appropriate hardware protection such as a root of trust, trusted execution environments and other security by design features in the implementation would mean it is no less secure unless production keys are also exposed."
Others echoed Goodacre's position that the industry nor Intel customers should be alarmed. Martin Jartelius, chief security officer at Outpost24, said the way in which the data had come to be leaked is substantially more interesting than the contents of the leak itself.
“There is no need to be alarmed by this data leak in and of itself, if you are a user of this technology," he said. "There is, however, more concern that either someone working in relation to hardware either had their repository or system breached, or are themselves careless with the information they process on behalf of others. Where this leak happened and why, to me, is substantially more of interest for us as a community than the code.”
At time of writing, no verifiable source for the files has come forward and therefore few conclusions on operational security can be drawn from the leak but it's certain that Intel will be investigating the incident closely.
The news sparked an initial scare that the leak could lead to the discovery of novel exploits impacting Intel's processors built using its Alder Lake architecture, launched in November 2021.
In theory, attackers with access to a company's source code are able to more easily find novel vulnerabilities in the impacted product by reverse engineering the way in which the code functions.
Sam Linford, VP EMEA channels at Deep Instinct, agreed and added that “the theft of source code is an extremely scary prospect for organisations". Other companies such as Rockstar Games and LastPass have both been victims of source code theft this year.
The Alder Lake leak
Rumours started circulating on Friday of a potential leak of Intel's Alder Lake source code after a series of links were posted on Twitter via anonymous messaging board 4Chan. The links led to a download of files totalling 5.86GB in size.
The Twitter link led to GitHub a repository titled ‘ICE_TEA_BIOS’ and was last edited on 30 September. This contained a compressed version of the files, but has now been taken down.
"Our proprietary UEFI code appears to have been leaked by a third party,” said an Intel spokesperson to IT Pro, confirming the leak to be genuine.
“We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty programme within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this programme.
"We are reaching out to both customers and the security research community to keep them informed of this situation."
Due to the size of the file repository, security researchers are taking time to determine what critical information might have been exposed by the leak.
Concerns were immediately raised over the extent to which hackers might be able to utilise Intel’s Alder Lake BIOS source code and it's still unclear whether the files were the subject of a data breach, or whether an insider leak from within Intel or a connected firm was the source.
