Experts warn DNA sequencers are vulnerable to bootkit attacks
- Researchers from Eclypsium find vulnerability in the way iSeq 100 boots up
- The bug allows threat actors to establish persistence, brick the device, or tamper with the results
- A patch has since been made available, so update now
A popular DNA sequencer has been found carrying a vulnerability allowing threat actors to establish persistence on the device, destroy the hardware, or even tamper with the results, experts have claimed.
Researchers from Eclypsium analyzed the BIOS firmware in iSeq 100, a DNA sequencer built by a US biotechnology company Illumina, a benchtop sequencing system designed for small-scale genomic and targeted sequencing applications. It is used to read and analyze DNA, help researchers understand genetic information, study diseases, develop treatments, or explore how organisms are related.
Eclypsium said the device boots an older version of the BIOS firmware, which even ran in Compatibility Support Mode (CSM), in order to support older devices. It did not boot with standard protections, including Secure Boot technology.
Manipulating outcomes
All of this made iSeq 100 vulnerable to nine different bugs, some discovered in 2017, and with different severity scores. Threat actors could launch LogoFAIL, Spectre 2, and Microarchitectural Data Sampling (MDS) attacks against these devices, it was claimed.
To make matters worse, Eclypsium said it only analyzed this specific model, and that it is possible that other models are suffering from the same drawbacks, as well, especially since the motherboards in these devices were built by a third party.
“If the data is manipulated by an implant/backdoor in these devices, then a threat actor may manipulate a wide range of outcomes including faking presence or absence of hereditary conditions, manipulating medical treatments or new vaccines, faking ancestry DNA research, etc,” Eclypsium said.
Since making the discovery, Eclypsium notified the iSeq 100 manufacturer, who came back with a patch. There was no word on how many devices are vulnerable, or how fast the patch will be applied on all of them.
“Our initial evaluation indicates these issues are not high-risk,” an Illumina representative told BleepingComputer.
Via BleepingComputer
You might also like
Researchers from Eclypsium find vulnerability in the way iSeq 100 boots up The bug allows threat actors to establish persistence, brick the device, or tamper with the results A patch has since been made available, so update now A popular DNA sequencer has been found carrying a vulnerability allowing threat…
