Researchers have identified critical vulnerabilities in Illumina iSeq 100 DNA sequencers due to the absence of essential security features such as Secure Boot and firmware write protections.
These flaws allow attackers to exploit outdated BIOS or UEFI implementations, enabling them to compromise the system firmware. This could result in the device being bricked or used to install persistent implants.
Reusing commodity hardware for critical systems, such as DNA sequencers, increases supply chain security risks, while outdated firmware in these devices, often running proprietary software, creates vulnerabilities.
Despite increased firmware security measures by vendors, attackers exploit supply chain vulnerabilities and leverage advanced techniques like malicious firmware updates and bootkit implants to compromise devices.
The iSeq 100 utilizes CSM for legacy BIOS booting, harbors an outdated and vulnerable BIOS version (B480AM12), and lacks essential firmware protections like Read/Write protections and Secure Boot, leaving it susceptible to unauthorized firmware modifications and potential attacks.
The Illumina sequencer RCE vulnerability (CVE-2023-1968) demonstrates the feasibility of attackers compromising devices with firmware vulnerabilities, which exploited remotely and allowed arbitrary code execution on affected devices, leading to an FDA recall and a CISA advisory.
With unpatched vulnerabilities, they are susceptible to attack as attackers can exploit these to gain initial access, escalate privileges, and overwrite firmware, potentially bricking the device or enabling persistent malicious activity.
The FDA emphasizes evaluating software functions in medical devices, including firmware, which necessitates robust assessment tools and procedures for both manufacturers and users.
According to the Eclypsium, manufacturers must assess components from suppliers, while healthcare and research institutions must evaluate devices before deployment to ensure safety and integrity.
While iSeq 100 firmware exploitation remains unobserved, historical examples like Hacking Team, LoJax, and MosaicRegressor demonstrate the vulnerability of BIOS/UEFI in traditional devices.
Attackers leverage these vulnerabilities to execute malicious code below the operating system, establishing a persistent presence beyond the reach of typical security measures and device storage wipes.
Adversaries exploit firmware vulnerabilities in critical devices like the iSeq 100 sequencer, which allows them to gain initial access, establish persistence, and disrupt operations in healthcare and research.
Overwriting firmware disables the device, impacting critical functions like genetic analysis and vaccine production, making these devices highly valuable targets for both financially and politically motivated attackers.
The National Institute of Standards and Technology (NIST) recommends stringent security for DNA sequencers, with an emphasis on hardware integrity.
Firmware, the foundational code for devices, requires rigorous analysis to ensure device security. By assessing firmware integrity, organizations can proactively identify and mitigate vulnerabilities, safeguarding their systems from potential threats.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free