Intel has confirmed that the leaked 12th Gen Intel Core (Alder Lake) UEFI BIOS source code is genuine. The leak includes 5.97 GB of data, including source codes, private keys, changelogs, and compilation tools. The most recent file is dated September 30, 2022.
The researchers note that the source code contains many references to Lenovo, including “Lenovo String Service”, “Lenovo Secure Suite” and “Lenovo Cloud Service”. At the moment, it is not known whether the leak was the result of a cyber attack or whether the data was published by some insider.
“Our proprietary UEFI code appears to have been made public by a third party. We do not believe this opens up any new security vulnerabilities as we do not rely on information obfuscation as a security measure. This code is eligible for our Project Circuit Breaker “bug bounty” program, and we encourage all researchers who may discover potential vulnerabilities to report them as part of this program. We are reaching out to both customers and the security research community to inform them of this situation,” an Intel spokesperson said.
Thus, Intel does not believe that the leak will lead to any security issues. However, experts in the field of information security are not so optimistic. The fact is that this data will help attackers to detect vulnerabilities in the code. Another problem is that the private KeyManifest encryption key used in Intel Boot Guard has been leaked to the network. If this key is indeed used by Intel, then hackers could potentially use it to change the boot policy and bypass hardware protection.