Skip to main content

Intel Alder Lake BIOS source code was leaked — should you be worried?

It’s official — the source code for the Intel Alder Lake BIOS was leaked, and Intel has confirmed it. A total of 6GB of code used for building the BIOS/UEFI source code is now out in the wild, having been posted on GitHub and 4chan.

Intel doesn’t seem too concerned, but security researchers are now hard at work trying to see if this can be used in a malicious way. If you own an Alder Lake CPU, should you be worried?

Recommended Videos

I can't believe: NDA-ed MSRs, for the newest CPU, what a good day… pic.twitter.com/bNitVJlkkL

— Mark Ermolov (@_markel___) October 8, 2022

Please enable Javascript to view this content

News of the leak broke out a couple of days ago when the code was found in a public GitHub repository, as well as shared on 4chan. The 6GB file contains some of the tools and code that Intel has used to build the BIOS/UEFI in its Alder Lake CPUs. Seeing as these are some of the best processors out currently, this could potentially put a lot of Intel’s customers at risk.

The BIOS/UEFI source code is responsible for initializing the hardware even before the operating system has the chance to load. As such, it’s responsible for establishing secure connections to important mechanisms within the computer, such as the Trusted Platform Module (TPM). The BIOS plays an important role in any computer, so it’s certainly not good that the source code for it could now be in the hands of nefarious threat actors.

Initially, it was uncertain whether the leaked file was the real deal, but Intel itself has now confirmed that to be the case. In a statement issued to Tom’s Hardware, Intel said:

“Our proprietary UEFI code appears to have been leaked by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them to our attention through this program. We are reaching out to both customers and the security research community to keep them informed of this situation.”

Intel’s statement implies that the most sensitive data had already been scrubbed from the source code before it was released to external partners. The source code contains many references to Lenovo, including “Lenovo String Service,” “Lenovo Cloud Service,” and “Lenovo Secure Suite.” Bleeping Computer notes that all of the code was developed by Insyde Software Corp.

An Intel Alder Lake Core i5-12600K CPU and its packaging.
Jacob Roach / Digital Trends

While this leak sounds pretty bad, Intel doesn’t seem to be overly concerned — although it’s good that it refers everyone to its bug bounty program. Many security researchers are already looking for cracks in the code, and some of the findings are less optimistic.

Hardware security firm Hardened Vault told Bleeping Computer: “The attacker/bug hunter can hugely benefit from the leaks even if leaked [manufacturer] implementation is only partially used in the production. The Insyde’s solution can help the security researchers, bug hunters, (and the attackers) find the vulnerability and understand the result of reverse engineering easily, which adds up to the long-term high risk to the users.”

Seeing as a KeyManifest private encryption key was found in the leak, it’s possible that hackers could use it to bypass Intel’s hardware security. Even so, it’s still a fairly long shot, so you probably don’t have to be too worried.

In any case, it’s worth it to keep yourself safe with some antivirus software to ensure that no attackers can access your computer, and subsequently, the BIOS.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
Intel’s upcoming Arrow Lake CPUs might run into cooling trouble
The cold plate and heat pipes on the Noctua NH-D15 G2 CPU cooler.

By nearly all accounts, Intel is gearing up to release its 15th-gen Arrow Lake CPUs in a matter of weeks. The new generation, which will compete for a slot among the best processors, will use the new LGA 1851 socket, and the redesigned package might be problematic when it comes to keeping the CPU cool.

According to famed overclocker and YouTuber der8auer, the hot spot on Arrow Lake CPUs is "quite a bit further north," meaning that the hottest part of the CPU is situated at the top of the package. Different hot spot locations is nothing new -- for instance, AMD's Ryzen 9 9950X has a hot spot more toward the southern part of the package -- but it's something that cooling companies will need to account for in order to get the best performance.

Read more
Intel Arrow Lake is right around the corner
Intel CEO Pat Gelsinger presents Intel's roadmap including Arrow Lake, Lunar Lake, and Panther Lake.

Intel's upcoming Arrow Lake processors have been the topic of much speculation in the last few months, but we're finally at the finish line. Multiple sources are reporting that the release date we've been hearing about for weeks is now final, meaning that Intel's next-gen processors are now less than a month away. Here's what we know.

With no Intel Innovation event this year, things have been quiet as far as Arrow Lake goes -- but the leaks never cease. The initial Arrow Lake (also known as Intel Core Ultra 200 series) release date that various tipsters spoke about was always said to be October 10, but a few weeks ago, it was revealed to be October 24. Now, with today's new information, we can say with some confidence that it appears to be the final release date.

Read more
Intel Arrow Lake gets possible pricing and release date
Intel CEO Pat Gelsinger presents Intel's roadmap including Arrow Lake, Lunar Lake, and Panther Lake.

We haven't even gotten an official release date for Intel Arrow Lake, but the one we know of is already being pushed back. Many leaks pointed to an October 10 release, but now, one source claims that Intel won't launch its next-gen top desktop processors until October 24. This only applies to the K and KF-series CPUs -- the non-K variants won't arrive until much later. We've also gotten a peek at some of the possible pricing.

Fortunately, the delay doesn't appear to be major. According to HKEPC on X (formerly Twitter), the launch of Intel Arrow Lake-S has now been pushed back from October 17 to October 24. This is somewhat inconsistent with previous leaks, but not really -- it appears that Intel had always planned to announce Arrow Lake on October 10, with availability starting on October 17. Now, we might still hear about the CPUs on October 10, but they won't appear on the shelves until two weeks later.

Read more