Tillie Kottmann, a Switzerland-based IT consultant and self-proclaimed leaker, posted a massive 20GB initial data dump on Twitter, calling it “Intel exconfidential Lake Platform Release.” This data was supposedly downloaded “earlier this year.”
This data dump purportedly contains:
- Intel ME Bringup guides + (flash) tooling + samples for various platforms
- Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history)
- Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff) SOURCES
- Silicon / FSP source code packages for various platforms
- Various Intel Development and Debugging Tools
- Simics Simulation for Rocket Lake S and potentially other platforms
- Various roadmaps and other documents
- Binaries for Camera drivers Intel made for SpaceX
- Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform
- (very horrible) Kabylake FDK training videos
- Intel Trace Hub + decoder files for various Intel ME versions
- Elkhart Lake Silicon Reference and Platform Sample Code
- Some Verilog stuff for various Xeon Platforms, unsure what it is exactly.
- Debug BIOS/TXE builds for various Platforms
- Bootguard SDK (encrypted zip)
- Intel Snowridge / Snowfish Process Simulator ADK
- Intel Marketing Material Templates (InDesign)
- Lots of other things
Obviously, that is quite the list of materials in just this first 20GB chunk of the hacker’s alleged trove of stolen data. Intel has already released a response statement to several media outlets when inquired, saying: “We are investigating this situation. The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data.”
However, Kottman, while discussing how the data was obtained by his anonymous source, was given a more detailed account. The data was stored on a misconfigured server, hosted by Akami CDN. The hacker stated he used an internet-wide nmap scan to find systems with a desired open port, finding 370 possible servers. They used a python script to probe aspects of the servers and stuff username/password defaults as well as look for unsecured file/folder access. The targeted folders were allegedly “lying open if you could guess the name of one.” Once found, it was a quick directory traversal to get in to any other folder you didn’t know the name of. Moreover, another misconfiguration allowed the hacker to be able to masquerade as any employee and even create new users.
This account shows why Intel would believe it was an authorized user who leaked the information.
Takeaways
Once again, we get yet another massive data breach caused by misconfigured cloud services or publicly-accessible servers, leading to major fallout for affected companies. Capital One’s data breach affecting more than 100 million people in the USA and another 6 million in Canada is one such recent example.
Several zip files included in the data leak are encrypted, however they use easily-guessable, short passwords. Had these files been more-heavily secured with sufficiently long passwords and not stored alongside documentation containing the password, they’d likely still be uncracked.
Using best-practice configurations by trained professions is sadly commonly overlooked by many big corporations, and we end up with highly vulnerable systems that leak data. Breach after breach has compromised highly damaging data that impacts millions of citizens, sometimes exposing them to identity fraud for their entire lifetime, such as in the Equifax hack. However, in Intel’s case, it’s the company itself that is harmed by the data breach, with confidential source code, tools, and other materials making its way out to the internet at large.
As this story unfolds, I’m sure we’ll see just how damaging some of the leaked contents are, as security researchers and enthusiasts comb over the exposed data.
