Widely used DNA sequencer still doesn’t enforce Secure Boot

In 2012, an industry coalition of hardware and software manufacturers implemented Secure Boot to protect Windows devices from the threat of malware that could infect the BIOS and later its successor UEFI, the firmware that loaded the operating system every time the computer booted.

Malware embedded in firmware creates the threat of malware that infects devices before the operating system even loads, every time they boot. Thanks to this, it can remain resistant to detection and removal. Secure Boot uses public key cryptography to block the boot of any code that is not signed with a pre-approved digital signature.

2018 requires its own BIOS

Since 2016, Microsoft has required all Windows devices to include a robust and secure platform module that enables secure boot. To this day, organizations widely view secure boot as an important, if not mandatory, foundation of trust for protecting devices in some of the most critical environments.

Microsoft has a much harder time requiring Secure Boot on specialized devices, such as scientific instruments used in research labs. As a result, equipment used in some of the world’s most sensitive environments still fails to comply. On Tuesday, researchers from firmware security company Eclypsium named one of them: Illumina iSeq 100DNA sequencer which is the main product 23andMe and thousands of other gene sequencing laboratories around the world.

The iSeq 100 can boot from compatibility support mode so it works with older legacy systems such as 32-bit operating systems. In this case, iSeq boots from BIOS B480AM12, version released in 2018. It contains critical vulnerabilities accumulated over the years that can be used to carry out the types of attacks on firmware provided by Secure Boot.

Additionally, according to Eclypsium, firmware read/write protection is not enabled, meaning an attacker can freely change the firmware on the device.

Eclipse wrote:

It should be noted that our analysis was limited specifically to the iSeq 100 sequencer. However, the problem is likely much broader than this single device model. Medical device manufacturers typically focus on their unique area of ​​expertise (eg, gene sequencing) and rely on external vendors and services to build the device’s core computing infrastructure. In this case, the problems were related to the OEM motherboard manufactured by IEI Integration Corp. IEI develops a wide range of industrial computer products and supports a specialized line of business as ODM for medical equipment. As a result, it is highly likely that these or similar issues may be found in either other medical or industrial devices using IEI motherboards. This is a great example of how mistakes early in the supply chain can have far-reaching consequences for many types of devices and suppliers.

In an email, Eclypsium CTO Alex Bazhanyuk wrote: “Frankly, there are a lot of risks and threats with an OS that doesn’t get the latest security updates, not to mention how every IT organization manages its own assets on its network. “