DNA sequencers found running ancient BIOS, posing risk to clinical research Cybersecurity shop Eclypsium claims security issues affecting leading DNA sequencing devices could lead to disruptions in crucial clinical research. The iSeq 100, developed by manufacturer Illumina, was torn down and found to be running an insecure BIOS implementation that opened up the device to malware and ransomware attacks …
"In all of these examples, attackers targeted firmware as a way to ensure their malicious code could run below the level of the operating system while also establishing ongoing persistence outside of the physical device storage drives."
That's what I was about to come and say. If you want "secure", put the thing in its own intranet that can send out results and stuff to the relevant people, but is itself completely inaccessible from the wider world.
[yes, that won't stop somebody physically present, but in that case they would have bigger problems at hand]
"And if data needs to be taken from the machine, use a sneaker net."
The Windows machines I have aren't allowed on the internet. I use Little Snitch to limit what my Macs will send out. I do have a minipc google sort of thing that I am setting up that will run ChromeOS and browser for a very specific task. When it gets infected, I'll just wipe the drive and reinstall the OS and browser. I have a few other PC's that will wind up running a couple of CNC machines that aren't connected to the network and there's no need to.
So if you get through a long enough chain of possible hops you have a security issue on a rare bit of equipment that someone might maybe be able to target.
In reality short of an explicitly targeted attack nothing is going to happen.
It's not like most attackers are going to aim to target something like this, they want maximum return for minimal effort which means exploiting something widespread. This issue is a bit too niche and old for that. Assuming the machines are even accessible in the first place.
From the article:
"Over the past decade, the state of the BIOS/UEFI security landscape has changed considerably," said the researchers. "State-based attackers and ransomware operators have pivoted en masse to target firmware both in the supply chain as well as devices already in the field.
Alrighty then! Let's, in a panic, update the bios of these machines forthwith (if not fifthwith), and pray to $DIETY that the new bios's supply chain hasn't already been been poisoned. There is something to be said about the First Rule of Computer Science. (Especially considering the operating conditions outlined by the above commentards who actually work is these environments.)
Sounds like someone's trolling for some business...
This is news to absolutely nobody working in this area. Labs are chock full of equipment that needs exceptions to IT rules to be allowed to be continued to be used.
The odder the instrument, the older it often is and the software even more peculiar. An ESR* machine running OS9 on M68000 probably not the worst but the upside is they rarely have any networking or at "best" an AUI or 10base2port which might be a challenge these days. A fair number running NT4 or OS/2 v2? not always on standard 286/386 PC hardware.
Cannot begin to imagine why anyone sane or otherwise would want to hack this stuff as the data stored on the computer attached to the instrument is ephemeral and often in closed formats only decipherable by the instrument vendor's software usually running on a separate more modern Windows PC.
Lab instruments are usually pretty immovable which makes securing their network access a little easier.
Generally institutional IT just pretends this stuff doesn't exist and completely ignores it but certainly excludes any kit in a "lab", even vanilla Windows desktops, from any support whatsoever.
* electron spin resonance not erythrocyte sedimentation rate
TFA just says that a random piece of kit was subject to a tear down and it was found that kit could be vulnerable.
No statement as to how vulnerable, by what vector.
To load the exploit, would an attacker need to be plugging it into the physical BIOS update port on the back of the box? If there was a more exciting way of getting in, like sending a special packet on a LAN, wouldn't they be crowing about that "Look, look, it is really easy, buy or product!".
As many have pointed out, above, lab kit is - well, basically it is as crude as much other industrial control kit and treated as such. So it doesn't get directly connected onto the Internet!
Is the particular piece of kit important? Well, it makes for a good headline, Shades of Frankenstein if a DNA sequence is leaked or modified! Bet that you could take many a piece of kit put of the lab, without considering how it was actually wired up (if at all) you could probably break into it. but the fear factor would be so much lower. What about the camera sitting on top of that microscope? Or that PCR Reaction Chamber (which also sounds awfully scary but is just a water heater with a timer and thermostat)?
"<<Random company>> is committed to the security of our products ... yada yada yada"
Is there any point in making this hackneyed statement ???
It means nothing and has Zero information content, sincerity or truth, as it has been used by everyone who gets caught out when they use vulnerable kit. !!!
<<Random company>> is NOT committed to security or anything like it, otherwise you would not be responding to a random cybersecurity groups claim for fame.
Reality is that you used the cheapest available kit that would do the job and NEVER gave it another thought even though attacks at the BIOS level became more and more common in general.
Your cheap, and now old, option would of course be likely to be vulnerable BUT who cares ... not you !!!
:)
"Thankfully they turn physical DNA into text strings, and not the other way around!"
This is true for 'sequencers', such as the specific one mentioned, but bespoke DNA synthesis is absolutely a thing:
for instance:
https://www.thermofisher.com/us/en/home/life-science/cloning/gene-synthesis/geneart-gene-synthesis.html
"Cybersecurity shop Eclypsium claims security issues affecting leading DNA sequencing devices could lead to disruptions in crucial clinical research."
Proper bullshit. pre-UEFI is just old and they have zero actual issues presented. Pure 'pay us and we check' -BS.
Also, these machines are either not in network at all or at least in intranet, so yet another level of bullshit.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
