Cybersecurity researchers have uncovered significant vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument, which could allow attackers to compromise devices by either rendering them inoperative or installing persistent malware. The flaws were traced to outdated BIOS firmware that uses Compatibility Support Mode (CSM), a legacy feature designed for older systems. The iSeq 100 does not have protections like Secure Boot or standard firmware write safeguards, making it highly susceptible to manipulation. With the ability to overwrite the system’s firmware, an attacker could either “brick” the device or implant malicious code for long-term access.
These vulnerabilities are particularly concerning in the context of DNA sequencing devices, which are critical to fields such as genetics, medical research, and vaccine production. The lack of modern firmware protections and the use of old BIOS increases the risk of these devices being targeted by cybercriminals or state-backed actors. An attacker could escalate privileges, overwrite firmware, and manipulate the system, potentially altering genetic data or sabotaging research. Such attacks could have severe consequences, including the production of incorrect genetic results or disruptions in high-stakes medical research.
Eclypsium, the firm behind the discovery, notes that this issue isn’t unique to Illumina but may affect other devices in medical and industrial sectors due to common vulnerabilities in OEM motherboards. The flaws have been traced back to the IEI Integration Corp motherboard, which may indicate similar problems in a range of devices beyond just DNA sequencers. This highlights a broader supply chain issue where security vulnerabilities in early-stage manufacturing could have far-reaching consequences across various types of devices used in critical infrastructure, particularly those involved in medical research and healthcare.
Illumina has responded to the issue by releasing a patch to address the flaws, following responsible disclosure. While this mitigates the immediate risk for iSeq 100 users, the case raises broader concerns about the security of critical devices in sensitive sectors. The vulnerabilities underscore the growing need for robust security measures in healthcare and research technologies, especially considering the increasing sophistication of cyberattacks. Devices such as DNA sequencers are prime targets due to their vital role in diagnosing diseases, identifying genetic conditions, and supporting vaccine development, making them high-value assets for malicious actors.
