DNA sequencer vulnerabilities signal firmware issues across medical device industry – Source: www.csoonline.com

In highlighting vulnerabilities in a widely used DNA gene sequencing device, security researchers have brought further attention to the likely poor state of security in the medical device industry, where hardware and firmware development is often outsourced to external equipment manufacturers under questionable support contracts.

The device, Illumina’s iSeq 100 compact DNA sequencer, is used by medical laboratories around the world for a wide range of applications. When investigating the device, researchers from supply chain security firm Eclypsium discovered vulnerabilities at the firmware level, as well as key missing security features designed to prevent malicious firmware implants.

“We found that the Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM mode and without Secure Boot or standard firmware write protections,” the researchers wrote in a report. “This would allow an attacker on the system to overwrite the system firmware to either ‘brick’ the device or install a firmware implant for ongoing attacker persistence.”

But the nature of the development process typical for such devices suggests many other medical devices may be at risk of the same or similar issues — problems that often arise in the IoT and embedded device space, medical or otherwise.

A typical x86 computer — with typical legacy tech problems

Aside from its custom case, touchscreen interface, and other custom peripherals used for DNA sequencing, the iSeq 100 isn’t very different from a typical x86 desktop PC. Its base hardware consists of an Intel Celeron J1900 2GHz Quad Core CPU, 8GB RAM, and 240GB SSD running Windows 10 loT Enterprise.

That’s not surprising given that Illumina, like many medical device vendors, outsourced the hardware design and manufacturing to an original design manufacturer (ODM) — in this case IEI Integration, which develops a wide range of industrial and medical computer products. IEI manufactured the motherboard inside the iSeq 100 and it is the supplier of the Unified Extensible Firmware Interface (UEFI) firmware that powers the device.

UEFI is a standardized specification for firmware in computer systems — the modern equivalent to BIOS — and includes the low-level code responsible for initializing a computer’s hardware before loading the operating system installed on the hard drive.

According to Eclypsium’s researchers, the firmware inside the iSeq 100 (B480AM12 – 04/12/2018) was released in 2018 and has known vulnerabilities. Computer and device manufacturers use UEFI implementations developed by a handful of independent BIOS vendors (IBVs) that they then configure and customize with their own code.

A vulnerability in the base UEFI implementation from an IBV is likely to impact products from all manufacturers that use that IBV’s firmware. For example, one attack dubbed LogoFAIL, discovered in 2023, affected base UEFI implementations from all three major IBVs — Insyde, AMI, and Phoenix — due to multiple vulnerabilities in their image parsing code.

As a result, most PC manufacturers had to release BIOS/UEFI updates, but many older PCs and motherboards have remained vulnerable in perpetuity because PC manufacturers offer software support only for a few years despite those products being used in the real world for much longer.

That problem is even worse in the IoT and embedded device space, where specialized real-time operating systems (RTOSes) are common. Firmware components such as TCP/IP stacks originally developed decades ago by software companies that no longer exist or whose intellectual property changed hands more than once over the years are often found in these devices.

Industrial hardware supply chains are impacted by this issue as well, making firmware security a difficult problem to tackle for end users if no firmware updates are provided. LogoFAIL is one of the vulnerabilities Eclypsium detected in iSeq 100’s outdated firmware, along with other issues such as the absence of firmware write protections, Secure Boot not being enabled, and the OS booting in Compatibility Support Mode (CSM).

The CPU microcode, typically included in UEFI, was also outdated and vulnerable to known side-channel data leak vulnerabilities impacting Intel CPUs such as Spectre v2 (Branch Target Injection) and Fallout and RIDL (Microarchitectural Data Sampling).

“Illumina appreciates Eclypsium Research’s report and our shared commitment to the Coordinated Vulnerability Disclosure principles,” an Illumina spokesperson told CSO via email. “We are following our standard processes and will notify impacted customers if any mitigations are required. Our initial evaluation indicates these issues are not high-risk.”

The spokesperson continued: “Illumina is committed to the security of our products and to privacy of genomic data and we have established oversight and accountability processes, including security best practices for the development and deployment of our products. As part of this commitment, we are always working to improve how we deliver security updates for instruments in the field.”

Firmware protections needed to prevent UEFI implants

Since firmware flashing is not blocked and the firmware is missing write protections for critical regions, attackers with local administrator access on the OS could easily inject malicious code into the firmware or rewrite it entirely, rendering the device inoperable.

“This is not a far-fetched scenario given that the Illumina sequencers were recently found to have a critical RCE (Remote Code Execution) vulnerability (CVE-2023-1968),” the Eclypsium researchers wrote in their report. “The issue affected a variety of Illumina devices, resulting in an FDA Class II recall as well as an ICS Medical Advisory from CISA.”

That 2023 RCE vulnerability has since been patched, but attackers could find another vulnerability or steal credentials for the device and exploit a privilege escalation flaw in Windows, which are common. The Illumina sequencer runs Windows 10 2016 LTSB, Version 1607, for which mainstream support ended in October 2021, but the extended support option will continue until October 2026.

The fact that Secure Boot is not enabled means the code responsible for booting the operating system, both at the UEFI level and the Windows bootloader itself, are not cryptographically verified. As such, malicious code could be injected into the boot process to take control of the OS kernel, a malware attack known as a bootkit (boot rootkit).

UEFI bootkits have been used in the wild for over a decade. Examples include LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023).

Sign of a broader issue

While Eclypsium’s research looked only at the Illumina iSeq 100, the researchers believe many medical devices likely suffer from similar firmware security issues inherited from the hardware supply chain. Medical device vendors don’t always manufacture their device hardware themselves, instead focusing on their core area of expertise and outsourcing the rest of the device development process to ODMs and IBVs, for example.

“It is more than likely that the same process is utilized by many other manufacturers,” Alex Bazhaniuk, CTO of Eclypsium, told CSO. “Once a medical device manufacturer enters the R&D phase, they go ‘shopping’ at ODMs and IBVs for hardware and firmware solutions to accelerate their time to market. This process is treated like any other product transaction where the manufacturer gets offered a quote for the [hardware/firmware] and support for X years — sometimes this includes security updates at no cost and sometimes it does not.”

“From what we have seen, ODMs and even IBVs will provide updates up to a certain point, but once the device passes a certain age, it is much harder to issue fixes or even generate code for the fixes to begin with,” he said. “Keep in mind that industrial computer boards are designed to operate for much longer than regular computing boards we are familiar with.”