Cybersecurity specialists have identified severe firmware vulnerabilities in Illumina’s iSeq 100 DNA sequencing devices, which could enable attackers to render the equipment inoperable or embed persistent malware for long-term exploitation.
“The Illumina iSeq 100 relies on an antiquated implementation of BIOS firmware using Compatibility Support Mode (CSM), devoid of Secure Boot or standard firmware write protections,” revealed Eclypsium in a report shared with The Hacker News.
“This oversight grants adversaries the ability to overwrite system firmware, effectively ‘bricking’ the device or implanting malicious firmware for sustained attacker access.”
While modern systems typically use the Unified Extensible Firmware Interface (UEFI) to replace the outdated Basic Input/Output System (BIOS), the iSeq 100 still employs an older BIOS version (B480AM12, dated April 12, 2018), riddled with exploitable flaws. Additionally, the lack of safeguards to restrict firmware read/write operations and the absence of Secure Boot make the system susceptible to unauthorized modifications, leaving malicious firmware changes undetected.
Compatibility Mode Raises Security Concerns
Eclypsium emphasized that CSM, intended for legacy devices, is ill-suited for high-value modern assets such as the iSeq 100. The reliance on this outdated feature highlights compatibility at the cost of robust security. Following responsible disclosure of the issue, Illumina has issued a corrective update to address the vulnerability.
The Potential for Devastating Exploits
In a hypothetical attack, an adversary could target unpatched iSeq 100 devices to escalate privileges and inject arbitrary firmware code. This could enable attackers to disrupt operations entirely by disabling the sequencer or by embedding persistent malware to maintain control.
The broader implications of such an attack are alarming. DNA sequencers like the iSeq 100 are critical tools in detecting genetic disorders, identifying drug-resistant pathogens, diagnosing cancers, and supporting vaccine production. Disabling these devices could lead to catastrophic delays in medical and scientific efforts.
Not Illumina’s First Vulnerability
This is not the first security lapse uncovered in Illumina’s DNA sequencing instruments. In April 2023, researchers revealed a separate critical flaw (CVE-2023-1968, with a maximum CVSS score of 10.0) that could allow attackers to intercept network traffic and remotely execute arbitrary commands.
Implications for Healthcare and Geopolitics
“The capacity to overwrite firmware on the iSeq 100 gives attackers a straightforward method to incapacitate the device, potentially amplifying the impact of ransomware campaigns,” warned Eclypsium. “Recovering from such an attack would demand significant effort, such as manually reflashing the firmware, leading to considerable downtime.”
These vulnerabilities present an enticing target for both financially motivated ransomware groups and state-sponsored actors pursuing geopolitical objectives. By exploiting these flaws, adversaries could jeopardize essential healthcare functions and disrupt critical workflows in genomic research and public health.
The discovery underscores the urgent need for rigorous security protocols in devices supporting high-stakes applications. As technology advances, safeguarding these assets against increasingly sophisticated threats remains paramount.