A few days ago, a user published the source code of Intel Alder Lake UEFI on the well-known anonymous website 4chan, and a copy of the file was published on GitHub at the same time (the files on both sites are currently inaccessible. , but has been circulated online). The source code file is a compressed package with a capacity of 2.8GB, and the decompressed capacity is 5.86GB.

A few days after the incident, Intel officially confirmed the source code leak:

Our proprietary UEFI code appears to have been leaked by a third party, and we don’t believe this exposes any new security holes. This code belongs to our “Project Circuit Breaker” bug bounty program, through which we encourage any researchers who find potential vulnerabilities to bring them to our attention. We are reaching out to customers and security researchers to let them know about this.

Querying the program on the official website shows that Intel will reward each vulnerability between $5 million and $100,000, depending on the severity of the reported problem.

The leaked source code contains a large number of files and tools for building BIOS/UEFI for Intel’s Alder Lake platform and chipsets. A computer’s BIOS/UEFI initializes the hardware before the operating system loads, including establishing connections to certain security mechanisms, such as TPM (Trusted Platform Module). Now that the BIOS/UEFI code has been leaked and officially confirmed, hackers and security researchers will no doubt study this part of the code for potential backdoors and security holes.

Intel has not disclosed who leaked the code this time and how it was leaked, but one of the documents shows “Lenovo Feature Tag Test Information”, which seems to indicate that the leak did not come from Intel, but Originated from the OEMs it works with.

If the source code really comes from Intel’s OEM partners as found above, then this leakpossibleIt won’t have much impact. Motherboard vendors and OEM manufacturers that currently work with Intel have similar tools and information to build the appropriate firmware for Intel platforms, and Intel will erase the overly sensitive content before handing it over to the OEM.

There has been an upward trend in recent hacking incidents. Some time ago, AMD also had an incident of stealing information through OEM manufacturers. Hackers stole 112GB of sensitive data through AMD’s partner Gigabyte. Zen 4 processor related, and later with the official release of AMD Zen 4 processor, it was confirmed that the leaked information is true.

In addition to Intel and AMD, companies that have had source code leaks this year include Samsung, the LastPass password manager, and Rockstar, which owns the GTA 6 game.