Cybersecurity researchers have identified serious firmware vulnerabilities in Illumina's iSeq 100 DNA sequencing devices that could allow attackers to either disable the machines or implant persistent malware, posing a significant cybersecurity risk.
According to a report by Eclypsium, shared with The Hacker News, the Illumina iSeq 100 operates using an outdated BIOS firmware in Compatibility Support Mode (CSM) without Secure Boot or standard firmware write protections.
Potential Risks: Bricked Devices and Persistent Malware
"The Illumina iSeq 100 relied on an obsolete BIOS firmware implementation, running in CSM mode without Secure Boot or essential firmware write protections," Eclypsium researchers explained. "This vulnerability allows attackers to overwrite system firmware, effectively 'bricking' the device or installing a firmware implant to establish long-term persistence."
Despite the Unified Extensible Firmware Interface (UEFI) being the modern standard, the iSeq 100 still boots an outdated BIOS version (B480AM12 - 04/12/2018), which is known to contain multiple security weaknesses.
Furthermore, the device lacks essential hardware protections that regulate where firmware can be read and written, making it susceptible to unauthorized modifications. The absence of Secure Boot further exacerbates the issue, as it allows malicious firmware alterations to go undetected.
Illumina Releases Patch Following Responsible Disclosure
Eclypsium emphasized that high-value assets should not rely on CSM, as it is primarily designed for legacy hardware that cannot be upgraded. Following responsible disclosure, Illumina has rolled out a security patch to address these vulnerabilities.
A hypothetical attack scenario could see threat actors exploiting unpatched Illumina devices, escalating privileges, and injecting arbitrary code into the firmware.
Recurring Security Concerns in Illumina DNA Sequencers
This is not the first time critical security flaws have been discovered in Illumina’s DNA sequencing equipment. In April 2023, researchers uncovered a severe vulnerability (CVE-2023-1968, CVSS score: 10.0) that allowed attackers to intercept network traffic and remotely execute arbitrary commands.
Implications for Healthcare and Biotech Sectors
"The ability to overwrite firmware on the iSeq 100 provides attackers with an easy method to disable the device, causing significant disruptions—especially in a ransomware attack scenario," Eclypsium noted. "Beyond taking a crucial medical device offline, recovering it would require extensive manual firmware reflashing."
This vulnerability could have major consequences for healthcare and biotech industries, where DNA sequencers play a crucial role in detecting genetic disorders, diagnosing cancers, identifying drug-resistant bacteria, and even developing vaccines. Given their significance, these devices may become prime targets for cybercriminals—ranging from financially motivated ransomware groups to state-sponsored actors with geopolitical interests.
Conclusion
With cybersecurity threats continuing to evolve, addressing vulnerabilities in critical medical and biotech infrastructure remains paramount. Organizations using Illumina iSeq 100 sequencers should apply the latest security patch immediately to mitigate potential risks and prevent devastating cyberattacks.