Researchers at Eclypsium have uncovered BIOS/UEFI vulnerabilities in the widely used Illumina iSeq 100 DNA sequencer. The device relies on an outdated BIOS version with Compatibility Support Module (CSM) enabled, lacking Secure Boot functionality and standard firmware write protections. This exposes the device to risks where attackers could modify its firmware, disable its functionality, or implant malware for long-term control.
The reliance on off-the-shelf hardware in medical devices amplifies the vulnerabilities across the supply chain, particularly when rooted in obsolete technologies. In this case, the issues stem from a motherboard manufactured by IEI Integration Corp, which is also utilized in other medical and industrial devices.
The analysis revealed several critical flaws. First, the enabled CSM mode supports legacy BIOS versions, which are unsafe for modern systems. Second, the BIOS version in use (B480AM12, dated 2018) contains known vulnerabilities. Third, basic protections against unauthorized firmware writes and boot code integrity checks are absent. These shortcomings enable covert firmware modifications.
The vulnerabilities in the Illumina iSeq 100 are particularly concerning against the backdrop of recent incidents. In 2023, Illumina devices were compromised due to a remote code execution vulnerability (CVE-2023-1968), prompting an FDA-mandated recall and recommendations from CISA. Restoring affected devices requires considerable effort, and disruptions to their operation can severely impact medical institutions.
BIOS/UEFI vulnerabilities have been actively exploited by threat actors for years. Since 2015, UEFI implants like Hacking Team, LoJax, and MosaicRegressor have been used to establish control beneath the operating system layer, presenting persistent and stealthy threats.
This issue is especially pressing in the medical field. Devices like DNA sequencers play a pivotal role in disease diagnosis, vaccine development, and genetic analysis. Their compromise could facilitate cyberattacks or serve geopolitical objectives.
In December 2023, NIST issued recommendations for safeguarding genomic data, emphasizing the importance of configuration management and hardware integrity verification. Experts urge medical device manufacturers to prioritize the security of components supplied by OEMs and to develop robust tools for assessing device security.
