Concerns Raised Over Security Flaws in Popular DNA Sequencer
In a recent report, experts have identified significant security vulnerabilities in the Illumina iSeq 100, a widely utilized DNA sequencer. This device, prevalent in numerous genetic research facilities, lacks the implementation of Secure Boot, a critical security feature designed to protect systems from malware attacks targeting firmware.
Secure Boot was established in 2012 as a collaborative effort among hardware and software manufacturers to safeguard Windows devices from malware that could compromise the BIOS and UEFI firmware. The absence of Secure Boot leaves devices vulnerable to malware that may infect them before the operating system loads, making detection and removal exceedingly difficult.
Since 2016, Microsoft has mandated the inclusion of a robust trusted platform module on all Windows devices to enforce Secure Boot. Despite this, many specialized devices, including scientific instruments in research laboratories, remain without this essential security layer. The recent analysis by Eclypsium, a firmware security firm, highlights the iSeq 100 as a prime example of this oversight.
The iSeq 100 is capable of booting in Compatibility Support Mode to accommodate older systems, which exposes it to critical vulnerabilities from outdated BIOS versions like B480AM12, dating back to 2018. These vulnerabilities can be exploited for firmware attacks that Secure Boot was designed to prevent. Additionally, the lack of firmware Read/Write protections allows potential attackers to alter the device's firmware undetected.
Eclypsium's findings suggest that the issues identified in the iSeq 100 may be indicative of a broader problem within medical devices that utilize similar OEM components. The firm noted that many medical device manufacturers rely on third-party suppliers for the underlying computing infrastructure, which can lead to widespread vulnerabilities across various devices.
Experts caution that the risks posed by devices lacking Secure Boot are significant, especially as many medical devices operate on outdated configurations that cannot be easily updated. The potential for malware to compromise such critical equipment raises alarms about the security of sensitive research environments.
In response to the findings, Illumina expressed gratitude to Eclypsium for their research and asserted that the iSeq 100 adheres to established security practices. The company indicated that they would inform affected customers should any mitigations be necessary, deeming the identified issues to be of low risk.
Historically, the risks associated with BIOS-based malware have evolved from theoretical concerns to real-world threats, evidenced by the emergence of various malware targeting firmware. The ease with which threat actors could potentially exploit vulnerabilities in widely used gene sequencers poses a serious threat, as it could enable ransomware attacks across entire networks.
Furthermore, researchers have demonstrated that malware could manipulate sequencing results, leading to erroneous conclusions regarding genetic relationships. This capability underscores the urgent need for enhanced security measures in devices critical to genetic research.
