Cybersecurity researchers have uncovered firmware security vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument that, if successfully exploited, could permit attackers to brick or plant persistent malware on susceptible devices.
“The Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM [Compatibility Support Mode] mode and without Secure Boot or standard firmware write protections,” Eclypsium said in a report shared with The Hacker News.
“This would allow an attacker on the system to overwrite the system firmware to either ‘brick’ the device or install a firmware implant for ongoing attacker persistence.”
While the Unified Extensible Firmware Interface (UEFI) is the modern replacement for the Basic Input/Output System (BIOS), the firmware security company said the iSeq 100 boots to an old version of BIOS (B480AM12 – 04/12/2018) that has known vulnerabilities.
Also noticeably absent are protections to tell the hardware where it can read and write firmware, thereby allowing an attacker to modify device firmware. Also not enabled is Secure Boot, thereby allowing malicious changes to the firmware to go undetected.
Eclypsium pointed out that it’s not advisable for newer high-value assets to support CSM, as it’s chiefly meant for old devices that can’t be upgraded and need to maintain compatibility. Following responsible disclosure, Illumina has released a fix.
In a hypothetical attack scenario, an adversary could target unpatched Illumina devices, escalate their privileges, and write arbitrary code to the firmware.
This is not the first time severe vulnerabilities have been disclosed in DNA gene sequencers from Illumina. In April 2023, a critical security flaw (CVE-2023-1968, CVSS score: 10.0) could have made it possible to eavesdrop on network traffic and remotely transmit arbitrary commands.
“The ability to overwrite firmware on the iSeq 100 would enable attackers to easily disable the device, causing significant disruption in the context of a ransomware attack. This would not only take a high-value device out of service, it would also likely take considerable effort to recover the device via manually reflashing the firmware,” Eclypsium said.
“This could significantly raise the stakes in the context of a ransomware or cyberattack. Sequencers are critical to detecting genetic illnesses, cancers, identifying drug-resistant bacteria, and for the production of vaccines. This would make these devices a ripe target for state-based actors with geopolitical motives in addition to the more traditional financial motives of ransomware actors.”