DNA sequencer company notifying customers of vulnerabilities in popular device

Healthcare technology vendor Illumina is notifying customers of a vulnerability affecting a popular DNA sequencer after a cybersecurity firm discovered issues with the product that would allow hackers to disable the devices or gain a foothold into them. 

The device, the Illumina iSeq 100, is used by labs that perform genetic analysis and would be vulnerable if an intruder was already inside a user’s network.  

Cybersecurity firm Eclypsium found vulnerabilities that resulted from the use of outdated firmware and explained that an attacker could “overwrite the system firmware to either ‘brick’ the device or install a firmware implant for ongoing attacker persistence.” Eclypsium found nine vulnerabilities — four of which carry severity scores of 7.5 out of 10 — and two other design issues.  

“As a result, any interested threat actor (eg. PRC nation state or commercial/ransomware threat group) is able to use the same techniques and tools to exploit these vulnerabilities or tamper with these DNA sequencer devices or components in the supply chain,” a spokesperson said. 

The company outlined several scenarios where an attacker would be interested in stealing data from the devices or manipulating the results of tests. An attacker could “manipulate a wide range of outcomes including faking presence or absence of hereditary conditions, manipulating medical treatments or new vaccines, faking ancestry DNA research, etc.”

Eclypsium found no evidence that hackers have used the vulnerabilities they found. A spokesperson for Illumina told Recorded Future News that the company is following its standard processes and will “notify impacted customers if any mitigations are required.” 

“Our initial evaluation indicates these issues are not high-risk,” the spokesperson said. 

“Illumina is committed to the security of our products and to privacy of genomic data and we have established oversight and accountability processes, including security best practices for the development and deployment of our products. As part of this commitment, we are always working to improve how we deliver security updates for instruments in the field.”

Eclypsium confirmed that Illumina has provided a fix and has notified customers of the issues.

Common motherboard 

The cybersecurity firm noted that while its investigation was limited to the iSeq 100, it is likely other products are affected by the vulnerabilities because some extend back to a motherboard made by IEI Integration Corp.

“IEI develops a wide range of industrial computer products and maintains a dedicated line of business as an [Operational Data Model] for medical devices,” Eclypsium said. “As a result, it would be highly likely that these or similar issues could be found either in other medical or industrial devices that use IEI motherboards.”

IEI did not respond to requests for comment. Medical device manufacturers typically outsource the production of parts to suppliers that build the underlying computing infrastructure of the device, according to Eclypsium. 

Eclypsium noted that state-backed attackers and ransomware gangs have gone after similar issues over the last decade. 

The ability to overwrite firmware on the iSeq 100 “would enable attackers to easily disable the device, causing significant disruption in the context of a ransomware attack,” the company said. 

“This would not only take a high-value device out of service, it would also likely take considerable effort to recover the device via manually reflashing the firmware. This could significantly raise the stakes in the context of a ransomware or cyberattack. Sequencers are critical to detecting genetic illnesses, cancers, identifying drug-resistant bacteria, and for the production of vaccines.”

Over the last two years, the U.S. Food and Drug Administration (FDA) and Cybersecurity and Infrastructure Security Agency (CISA) have warned of several serious vulnerabilities in Illumina products