Researchers have unearthed crucial BIOS/UEFI flaws in the Illumina iSeq 100 DNA sequencer, highlighting the device’s use of outdated firmware implementation with Compatibility Support Mode (CSM) lacking key security features like Secure Boot and firmware write protections. This discovery opens up a window of vulnerability that attackers can exploit to potentially overwrite the firmware, either disabling the device or installing malicious code for persistent access.
The absence of essential security measures, along with the potential presence of embedded malware and backdoors, poses a significant threat to the security of the device. Outdated firmware and complex supply chains further add to the attack surface, making the device more susceptible to exploitation.
Guidelines set forth by the National Institute of Standards and Technology (NIST) emphasize the critical role of hardware and software security in protecting genomic information. Stringent configuration management and integrity checks are recommended to mitigate the risks associated with such systems.
Over the past decade, attackers have increasingly targeted BIOS/UEFI firmware, exploiting vulnerabilities in the supply chain to compromise devices in the field. This surge in firmware-based attacks, including ransomware, has prompted technology vendors to implement various security measures like secure boot, platform integrity checks, and remote attestation.
Despite these defenses, attackers have adapted and now use sophisticated techniques such as malicious firmware updates, bootkit infections, and hardware Trojans to circumvent security measures. The iSeq 100 DNA sequencer reveals several critical security vulnerabilities due to its use of Compatibility Support Mode (CSM) instead of the more secure UEFI, which allows it to boot legacy BIOS firmware, potentially introducing compatibility issues and security risks.
Moreover, the device runs on an outdated BIOS version with known vulnerabilities and lacks essential firmware protections. The absence of Secure Boot makes it possible for malicious firmware modifications to go undetected, significantly increasing the risk of compromise.
Exploiting the Remote Code Execution (RCE) vulnerability allows attackers to gain remote access and modify firmware, potentially rendering the device useless. This type of attack is simpler than manipulating test results but can have severe consequences for the device and its users.
The Food and Drug Administration (FDA) underscores the importance of securing all software on medical devices, including firmware. Vendors must conduct thorough assessments of components from suppliers, and healthcare organizations need tools to evaluate device security before deployment. Comprehensive firmware security assessments are necessary to mitigate risks and ensure the integrity of medical devices.
Previous research has shown the vulnerability of BIOS/UEFI in traditional devices, leading to successful exploitation by malicious actors like Hacking Team, LoJax, and MosaicRegressor. The trend extends to non-standard devices, with attackers targeting firmware in various devices to gain initial access or maintain a persistent presence. The iSeq 100 DNA sequencer, crucial in healthcare and research, faces similar threats.
Compromised firmware on the iSeq 100 could disrupt operations, impacting critical research and potentially serving geopolitical or financial motives. Since firmware integrity is vital to overall device security, any compromise can severely undermine the device’s security.
Just as life scientists analyze DNA for vulnerabilities, IT and security teams must use specialized tools to assess firmware code for weaknesses, ensuring the robust security of underlying technology. As attackers evolve their techniques, it is imperative for organizations to stay ahead of potential threats and secure their devices against firmware-based attacks.