Cybersecurity researchers have discovered firmware security vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument that, if successfully exploited, could allow attackers to block or install persistent malware on sensitive devices.
“The Illumina iSeq 100 used a very outdated implementation BIOS firmware using CSM (Compatibility Support Mode) mode and without secure boot or standard firmware write protection,” Eclypsium said in a report shared with The Hacker News.
“This would allow an attacker on the system to overwrite the system’s firmware to either ‘brick’ the device or install a firmware implant for the attacker’s permanent persistence.”
While the Unified Extensible Firmware Interface (UEFI) is a modern replacement for the Basic Input/Output System (BIOS), the firmware security company reported that the iSeq 100 boots with an old BIOS version (B480AM12 – 04/12/2018) that has known vulnerabilities.
Also conspicuously absent are safeguards that tell the hardware where it can read and write firmware, allowing an attacker to modify the device’s firmware. Secure Boot is also not enabled, allowing malicious firmware changes to go undetected.
Eclypsium noted that it is not recommended for new high-value assets to support CSM, as it is mainly intended for older devices that cannot be upgraded and must maintain compatibility. After the responsible disclosure, Illumina released a fix.
In a hypothetical attack scenario, an adversary could target unpatched Illumina devices, elevate their privileges, and write arbitrary code to the firmware.
This is not the first time that serious vulnerabilities have been discovered in Illumina’s DNA gene sequencers. In April 2023 critical security flaw (CVE-2023-1968CVSS score: 10.0) could make it possible to eavesdrop on network traffic and remotely transmit arbitrary commands.
“The ability to overwrite the firmware on the iSeq 100 would allow attackers to easily disable the device, causing significant disruption in the context of a ransomware attack. Not only would this disable a valuable device, but it would also likely take considerable effort to recover the device by manually flashing the firmware,” Eclypsium said.
“This can significantly raise the stakes in the context of ransomware or cyber attacks. Sequencers are important for the detection of genetic diseases, cancer, the identification of drug-resistant bacteria and for the production of vaccines. This would make these devices a ripe target for the state. established actors with geopolitical motives in addition to the more traditional financial motives of ransomware actors.”
