Experts have assured that the confirmed leak of Intel's Alder Lake source code will 'most likely' not lead to any meaningful adverse impact on the security of its products, despite others branding the leak as a "scary" prospect.
According to experts who spoke to IT Pro, attackers would need access to other components to have a substantial chance of developing harmful exploits and also be able to bypass the existing protections that Intel has in place.
RELATED RESOURCE
The trusted data centre and storage infrastructure
Invest in infrastructure modernisation to drive improved outcomes
"It is unlikely that viewing software code alone will cause a subsequent cyber security incident," said John Goodacre, director at the UKRI’s Digital Security by Design challenge and professor of Computer Architectures at Manchester University. "Much of the UEFI source code is already open source and available for third-party use and inspection.
"Proprietary initialisation and configuration code can make it easier to understand potential attack vectors, but with appropriate hardware protection such as a root of trust, trusted execution environments and other security by design features in the implementation would mean it is no less secure unless production keys are also exposed."
Others echoed Goodacre's position that the industry nor Intel customers should be alarmed. Martin Jartelius, chief security officer at Outpost24, said the way in which the data had come to be leaked is substantially more interesting than the contents of the leak itself.
“There is no need to be alarmed by this data leak in and of itself, if you are a user of this technology," he said. "There is, however, more concern that either someone working in relation to hardware either had their repository or system breached, or are themselves careless with the information they process on behalf of others. Where this leak happened and why, to me, is substantially more of interest for us as a community than the code.”
At time of writing, no verifiable source for the files has come forward and therefore few conclusions on operational security can be drawn from the leak but it's certain that Intel will be investigating the incident closely.
The news sparked an initial scare that the leak could lead to the discovery of novel exploits impacting Intel's processors built using its Alder Lake architecture, launched in November 2021.
In theory, attackers with access to a company's source code are able to more easily find novel vulnerabilities in the impacted product by reverse engineering the way in which the code functions.
Sam Linford, VP EMEA channels at Deep Instinct, agreed and added that “the theft of source code is an extremely scary prospect for organisations". Other companies such as Rockstar Games and LastPass have both been victims of source code theft this year.
The Alder Lake leak
Rumours started circulating on Friday of a potential leak of Intel's Alder Lake source code after a series of links were posted on Twitter via anonymous messaging board 4Chan. The links led to a download of files totalling 5.86GB in size.
The Twitter link led to GitHub a repository titled ‘ICE_TEA_BIOS’ and was last edited on 30 September. This contained a compressed version of the files, but has now been taken down.
"Our proprietary UEFI code appears to have been leaked by a third party,” said an Intel spokesperson to IT Pro, confirming the leak to be genuine.
“We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty programme within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this programme.
"We are reaching out to both customers and the security research community to keep them informed of this situation."
Due to the size of the file repository, security researchers are taking time to determine what critical information might have been exposed by the leak.
Concerns were immediately raised over the extent to which hackers might be able to utilise Intel’s Alder Lake BIOS source code and it's still unclear whether the files were the subject of a data breach, or whether an insider leak from within Intel or a connected firm was the source.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
PowerEdge - Cyber resilient infrastructure for a Zero Trust worldWhitepaper Combat threats with an in-depth security stance focused on data security
-
Redefining modern enterprise storage for mission-critical workloadsWhitepaper Evolving technology to meet the mission-critical needs of the most demanding IT environments
-
The business value of storage solutions from Dell TechnologiesWhitepaper Streamline your IT infrastructure while meeting the demands of digital transformation
-
Cyber resiliency and end-user performanceWhitepaper Reduce risk and deliver greater business success with cyber-resilience capabilities
-
Understanding the economics of in-cloud data protectionWhitepaper Data protection solutions designed with cost optimisation in mind
-
Intel expands its bug bounty program with Project Circuit BreakerNews The initiative aims to address vulnerabilities in Intel’s firmware, GPUs, hypervisors, and chipsets
-
Intel CPU flaw could enable hackers to attack PCs, cars, and medical devicesNews Vulnerability found in Pentium, Celeron, and Atom processors
-
Hackers abuse single bit change in Intel CPU register to evade detectionNews Palo Alto Networks discovers that Trap Flag is being abused to notify malware it is being analyzed
