In a recent revelation, Eclypsium’s research team has uncovered severe BIOS/UEFI vulnerabilities in a widely used DNA gene sequencer manufactured by Illumina.
The Illumina iSeq 100, a pivotal tool in genomics and healthcare, was found to operate on outdated BIOS firmware, configured in Compatibility Support Module (CSM) mode. This antiquated setup lacks modern protections such as Secure Boot and firmware write protections. According to Eclypsium, these deficiencies allow attackers to overwrite system firmware, potentially bricking the device or embedding persistent malware.
“Instances like this of commodity hardware re-use pose significant supply chain security risks due to the potential for embedded malware or backdoors,” the report stated. Eclypsium’s findings emphasize the vulnerabilities arising from hardware dependencies in medical devices. As genomic data grows increasingly vital, the risks of exploitation expand exponentially.
The vulnerabilities in the iSeq 100 highlight several critical issues:
- Booting in CSM Mode – While CSM ensures compatibility with older devices, it is not suitable for high-value assets like medical devices, leaving them exposed to legacy security risks.
- Outdated BIOS – The iSeq 100 uses a BIOS version dating back to 2018, known to have exploitable vulnerabilities.
- Disabled Firmware Protections – The absence of read/write protections allows attackers to modify firmware freely.
- No Secure Boot – Without Secure Boot, malicious firmware changes remain undetected, further jeopardizing device integrity.
These issues collectively lower the barrier for attackers, enabling them to disrupt genomic sequencing processes or use the devices as entry points for broader attacks.
While Eclypsium’s analysis focused on the iSeq 100, the implications extend beyond this device. Medical device manufacturers often rely on external suppliers for hardware components, introducing supply chain complexities. In this case, the vulnerabilities were traced back to an OEM motherboard produced by IEI Integration Corp.
“This is a perfect example of how mistakes early in the supply chain can have far reaching impacts across many types of devices and vendors,” the researchers noted.
Attackers exploiting these vulnerabilities could disable sequencing devices, causing severe disruptions in diagnostics, cancer research, and vaccine development. The potential for state-based actors and ransomware groups to target these devices for geopolitical or financial motives further escalates the threat.
In response to escalating risks, NIST’s December 2023 guidelines for genomic information security emphasize the importance of stringent configuration management and integrity checks for devices like DNA sequencers. Despite these recommendations, a gap persists between regulatory expectations and real-world implementations.
The FDA has also highlighted the need for firmware security in medical devices. “This guidance is intended to cover device software functions. Examples include, but are not limited to, firmware and other means for software-based control of medical devices, software accessories to medical devices, and software only function(s) that meet the definition of a device,” the agency stated. However, bridging the gap requires robust tools and procedures for evaluating device safety at all levels.
Eclypsium’s research underscores the critical role of firmware as the foundational code for device operations. “If the firmware foundation of a device is vulnerable or compromised, it is virtually impossible to ensure the security of the device itself,” the report warns.
Related Posts:
- Cisco Digital Network Architecture Center (DNA) Multiple Vulnerabilities
- Intel SPI Flash Flaw Allows Attacker to Alter or Remove BIOS/UEFI Firmware
- Researcher: Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems
