CISA, FDA warn of new Illumina DNA device vulnerability

Several U.S. agencies warned this week about a vulnerability affecting software in devices used for DNA research that would allow hackers access to sensitive patient information.

The Food and Drug Administration (FDA) and the company behind the devices — Illumina — said they have not received any reports indicating the vulnerability has been exploited.

Illumina is one of the world’s biggest manufacturers of medical devices that handle bioanalysis and DNA sequencing.

An advisory from the Cybersecurity and Infrastructure Security Agency (CISA) said the bug, CVE-2023-1968, had a CVSS base score of 10, the highest rating possible.

The vulnerability affects Illumina’s Universal Copy Service (UCS), which is used in equipment “that may be specified either for clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or for research use only.”

The products include the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments.

“An unauthorized user could exploit the vulnerability by: taking control remotely; altering settings, configurations, software, or data on the instrument or a customer’s network; or impacting genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach,” the FDA said.

Illumina has already developed a patch and sent messages about it to affected customers on April 5.

They urged customers to contact them if they have not received the patch or if their device was compromised. The FDA also offered companies a way to report a compromise if needed.

CISA noted that “no known public exploits specifically target these vulnerabilities.”

This is not the first time Illumina has reported vulnerabilities affecting its tools used for genetic analysis.

In June 2022, the company said a bug could impact patient test results in the instruments intended for clinical diagnosis, “including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach.”

The FDA noted that its recommendations for dealing with that vulnerability “have not changed” in light of the most recent issue.