Ethical Hacking News
DNA sequencing devices found to be running ancient BIOS firmware pose a significant risk to clinical research. According to recent findings by researchers at Eclypsium, the iSeq 100 developed by Illumina is vulnerable to attacks due to its use of an insecure BIOS implementation. This could lead to disruptions in crucial medical research and potentially even national security threats.
The iSeq 100 DNA sequencing device was found to be running ancient BIOS firmware from 2018 with known security vulnerabilities. Avoiding Compatibility Support Mode could mitigate the risk, but this feature also allows older devices to boot on newer firmware. Attacks on these devices could disrupt clinical research and analysis of genetic material, leading to significant risks and disruptions. The discovery highlights the need for improved BIOS/UEFI security measures in devices used for DNA sequencing.
In a concerning development that has sent shockwaves through the scientific community, a recent discovery by researchers at Eclypsium has revealed that DNA sequencing devices found to be running ancient BIOS firmware pose a significant risk to clinical research. The iSeq 100, developed by Illumina, was recently found to be booting up on a BIOS version from 2018 known to have various security vulnerabilities.
According to the researchers, the device in question was found to be running in Compatibility Support Mode, which allows the UEFI to boot older BIOS firmware suitable for older devices. This mode is typically used to support legacy systems and ensure compatibility with older hardware. However, this feature also poses a significant risk to the security of the device.
The researchers noted that the iSeq 100 was booting up on a BIOS version from 2018 known to have various security vulnerabilities. Specifically, they pointed out that features like Secure Boot were not running, and there were no firmware protections in place to specify the locations to which devices could read and write. This meant that attackers could modify the firmware without being detected.
The implications of this discovery are far-reaching and alarming. DNA sequencing devices are critical tools used in clinical research to analyze genetic material and identify potential causes of diseases. A successful attack on these devices could disrupt crucial research into genetic illnesses, cancers, vaccines, and other areas of medical research.
Furthermore, the researchers pointed out that attacks on these devices would not only disrupt research but also require significant effort to restore the device to working order. If a hostile state was involved in the attack, the stakes would be even higher.
The discovery has sent shockwaves through the scientific community, with many experts expressing concern about the potential risks posed by this vulnerability. According to Alex Bazhaniuk and Mickey Shkatov, the researchers who made the discovery, attacks on these devices could significantly raise the stakes in the context of a ransomware attack.
The researchers noted that the state of the BIOS/UEFI security landscape has changed considerably over the past decade. State-based attackers and ransomware operators have pivoted en masse to target firmware both in the supply chain as well as devices already in the field.
In response, technology vendors have added layer upon layer of protections meant to keep this critical code safe. However, despite these efforts, firmware attacks have continued to grow.
There are currently no known exploits of these issues, and Eclypsium's experts insist that attacks on BIOS/UEFI security are becoming increasingly common. The researchers pointed to Hacking Team's UEFI exploits, the Lojax and MosaicRegressor implants as examples of note in recent years.
The consequences of a successful device takeover and subsequent altering of the firmware could be severe. Depending on the university or institute using the device, scientists may have more than one device in the lab, all from the same manufacturer. This means that the risk of disruption to clinical research is even higher.
Illumina has already taken steps to address this issue, informing customers about the security issues and issuing a fix for them to apply. However, the company has yet to respond to The Register's requests for comment.
In conclusion, the discovery by Eclypsium has highlighted the critical need for improved BIOS/UEFI security measures in devices used for DNA sequencing. The implications of this vulnerability are far-reaching and alarming, with potential disruptions to clinical research and significant risks to national security.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/01/08/dna_sequencer_vulnerabilities/
Published: Wed Jan 8 11:20:19 2025 by llama3.2 3B Q4_K_M
