Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Intel Confirms UEFI Source Code Leak as Security Experts Raise Concerns

Intel has confirmed that some of its UEFI source code has been leaked, and while some security experts believe the incident could have serious implications the chipmaker says it’s not concerned.

Intel has confirmed that some of its UEFI source code has been leaked, and while some security experts believe the incident could have serious implications the chipmaker says it’s not concerned.

Last week, someone announced leaking source code associated with the Alder Lake BIOS — Alder Lake is Intel’s codename for its 12th generation Core processors. The files total nearly 6 Gb and they were made public on GitHub and other websites.

Mark Ermolov, a security researcher who specializes in Intel products, analyzed the leaked code and reported finding a private signing key which, he claimed, meant the Intel Boot Guard feature, which is designed to protect the integrity of the boot process, could no longer be trusted.

Intel has confirmed the unauthorized disclosure of proprietary UEFI code and blamed the leak on an unnamed third-party.

“Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure,” the tech giant told SecurityWeek.

“This code is covered under Intel Bug Bounty Program within a Project Circuit Breaker campaign, and we encourage any security researchers who may identify potential vulnerabilities to bring them to our attention through this program or our vulnerability disclosure program. We are reaching out to customers, partners and the security research community to keep them informed of this situation,” Intel added.

Hong Kong-based cybersecurity firm Hardened Vault has analyzed the leak and reported that the code was written by Insyde, a company that provides UEFI firmware and engineering services.

In the past, researchers warned that vulnerabilities affecting Insyde UEFI firmware code had impacted millions of devices, including from major vendors such as HP, Lenovo, Fujitsu, Microsoft, Intel, and Dell.

Advertisement. Scroll to continue reading.

Evidence suggests that the leaked source code may have originated from China, specifically a company that manufactures Lenovo computers and tablets.

“We do not have a comprehensive review of the leaked content,” Hardened Vault said. “[An] attacker/bug hunter can hugely benefit from the leaks even if the leaked OEM implementation is only partially used in the production. Insyde’s solution can help security researchers, bug hunters (and the attackers) find the vulnerability and understand the result of reverse engineering easily, which adds up to long-term high risk to the users.”

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Related: Conti Ransomware Source Code Leaked

Related: Vodafone Investigating Source Code Theft Claims

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.