DNA sequencers found running ancient BIOS, posing risk to clinical research

Updated Cybersecurity shop Eclypsium claims security issues affecting leading DNA sequencing devices could lead to disruptions in crucial clinical research.

The iSeq 100, developed by manufacturer Illumina, was torn down and found to be running an insecure BIOS implementation that opened up the device to malware and ransomware attacks, as well as potential brickings.

Researchers Alex Bazhaniuk and Mickey Shkatov said the iSeq 100 was running in Compatibility Support Mode, which allows the UEFI to boot older BIOS firmware suitable for older devices. The sequencer was booting to a BIOS version from 2018 known to have various security vulnerabilities.

Features like Secure Boot weren't running, nor were there any firmware protections to specify the locations to which devices could read and write. This means attackers, once they've been able to get a foothold on the system, in person or remotely, could modify the firmware without being detected.

"Over the past decade, the state of the BIOS/UEFI security landscape has changed considerably," said the researchers. "State-based attackers and ransomware operators have pivoted en masse to target firmware both in the supply chain as well as devices already in the field.

"In response, technology vendors ... have added layer upon layer of protections meant to keep this critical code safe. In spite of these efforts, firmware attacks have continued to grow."

There aren't any known exploits of these issues known to Eclypsium, whose experts insist attacks aren't far-fetched, citing a 2023 FDA Class II recall following the discovery of a critical remote code execution bug affecting iSeq 100 and various other sequencing devices.

That said, they were keen to stress that major attacks against BIOS/UEFI security are becoming increasingly common.

The researchers pointed to Hacking Team's UEFI exploits, and the Lojax and MosaicRegressor implants as examples here, among many others of note in recent years.

• UN's aviation agency confirms attack on recruitment database
• Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed
• DEF CON's hacker-in-chief faces fortune in medical bills after paralyzing neck injury
• MediaTek rings in the new year with a parade of chipset vulns

"In all of these examples, attackers targeted firmware as a way to ensure their malicious code could run below the level of the operating system while also establishing ongoing persistence outside of the physical device storage drives," they said.

The consequences of a successful device takeover and subsequent altering of the firmware could severely disrupt crucial research into the likes of genetic illnesses, cancers, vaccines, and more.

Bazhaniuk and Shkatov also said attacks on these devices, which would not only disrupt research but likely require "considerable effort" to restore the device to working order, could "significantly raise the stakes in the context of a ransomware" attack, especially if a hostile state was involved.

A DNA researcher The Register spoke to said depending on the university or institute, most scientists using DNA sequencers in the West would have more than one of the devices in the lab, albeit perhaps all from the same maker.

The device in question was made by Illumina, with the researchers noting that it was running on a motherboard manufactured by Taiwan-based IEI Integration Corp.

Given that the company designs a wide range of equipment used in medical devices, they said it's likely that many other devices beyond Illumina's are vulnerable to the same BIOS issues.

The Register contacted Illumina and IEI for a response to the research, but neither had replied at the time of publication.

However, Eclypsium noted that California-headquartered Illumina has informed customers about the security issues and issued a fix for them to apply. ®

Updated to add at 1618 UTC, January 8

An Illumina spokesperson sent us the following statement: