Dna Sequencer Flaw Exposes Private Genomic Data To Cyber Threats

A critical vulnerability in widely used DNA sequencers has been exposed, highlighting a major security threat to sensitive genomic data. Firmware security firm Eclypsium has revealed that the Illumina iSeq 100, commonly used in 23andMe and thousands of other gene-sequencing laboratories worldwide, is particularly at risk due to its failure to enforce Secure Boot.

In 2012, an industry-wide coalition adopted Secure Boot to protect Windows devices against malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. This measure aimed to prevent firmware-dwelling malware from infecting devices before the operating system even loaded, allowing it to remain immune to detection and removal.

However, this requirement has been met with varying degrees of success in specialized devices, such as scientific instruments used in research labs. As a result, gear used in some of the world’s most sensitive environments still doesn’t enforce Secure Boot. Eclypsium’s recent analysis revealed that the Illumina iSeq 100 can boot from Compatibility Support Mode, allowing it to work with older legacy systems.

When this mode is enabled, the iSeq loads from a BIOS version dating back to 2018, which harbors years’ worth of critical vulnerabilities. These vulnerabilities could be exploited to carry out the types of firmware attacks that Secure Boot was designed to prevent. Furthermore, Eclypsium found that firmware Read/Write protections are not enabled on the device, allowing an attacker to modify the firmware and potentially compromising the entire system.

The implications of this vulnerability are severe, as it could expose sensitive genomic data to unauthorized access and manipulation. The issue is likely more widespread than just the Illumina iSeq 100 sequencer device, with medical device manufacturers often focusing on their unique area of expertise and relying on outside suppliers and services to build the underlying computing infrastructure.

This can lead to mistakes early in the supply chain that have far-reaching impacts across many types of devices and vendors. Eclypsium CTO Alex Bazhaniuk noted that an OS not receiving recent security updates poses significant risks, along with the challenges of managing assets on a network. The discovery of this vulnerability highlights the need for greater vigilance and oversight in the development and deployment of sensitive technologies like DNA sequencers.

Manufacturers and regulatory bodies must take immediate action to address this critical vulnerability. This may involve implementing stricter security protocols, providing regular software updates, and conducting thorough risk assessments to identify potential weaknesses in the supply chain. The consequences of inaction could be catastrophic, compromising the integrity of sensitive genomic data and putting countless lives at risk.