Scientists Discover a Serious Security Vulnerability in Illumina iSeq 100 DNA Sequencers

Researchers studying cybersecurity have discovered firmware security flaws in the Illumina iSeq 100 DNA sequencing technology that, if properly used, might allow hackers to brick or install persistent malware on vulnerable devices. "The Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM [Compatibility Support Mode] mode and without Secure Boot or standard firmware write protections," Eclypsium stated in a report that was supplied to The Hacker News.

"This would allow an attacker on the system to overwrite the system firmware to either 'brick' the device or install a firmware implant for ongoing attacker persistence." The firmware security company claimed that the iSeq 100 boots to an outdated version of the Basic Input/Output System (BIOS), even though the Unified Extensible Firmware Interface (UEFI) is the more recent alternative.

Protections to inform the hardware where it can read and write firmware are also conspicuously missing, which would enable an attacker to alter the firmware of a device. Secure Boot is also disabled, which makes it possible for malicious firmware modifications to remain undetected.

Eclypsium noted that as CSM is primarily intended for outdated devices that must maintain compatibility and cannot be upgraded, it is not recommended for newer high-value assets to support it. Illumina has published a remedy after responsible disclosure. An adversary might target unpatched Illumina devices, increase their privileges, and modify the firmware with arbitrary code in a fictitious attack scenario.

There are other serious flaws in Illumina DNA gene sequencers that have been revealed before. A critical security weakness (CVE-2023-1968, CVSS score: 10.0) that was discovered in April 2023 would have allowed for remote arbitrary command transmission and network traffic eavesdropping. "In the event of a ransomware attack, the iSeq 100's software may be overwritten, making it simple for attackers to disable the device and inflict serious damage. Not only would this render valuable equipment inoperable, but manually flashing the firmware to restore it would probably require a significant amount of work, according to Eclypsium.

"This could dramatically increase the stakes in the event of a hack or ransomware. In order to discover drug-resistant microorganisms, diagnose genetic diseases, detect cancer, and produce vaccines, sequencers are essential. This would make these devices a prime target for both the more conventional financial motivations of ransomware perpetrators and state-based hackers with geopolitical goals.