GOT SECURE BOOT? Widely used DNA sequencer still doesnt enforce Secure Boot A firmware-dwelling bootkit in the iSeq 100 could be a key win for threat actors. Dan Goodin Jan 7, 2025 9:00 am | 8 A woman placing her finger on the touch screen of the iSeq 100 gene sequencer from Illumina. Credit: Illumina A woman placing her finger on the touch screen of the iSeq 100 gene sequencer from Illumina. Credit: Illumina Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreIn 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect Windows devices against the threat of malware that could infect the BIOS and, later, its predecessor the UEFI, the firmware that loaded the operating system each time a computer booted up.Firmware-dwelling malware raises the specter of malware that infects the devices before the operating system even loads, each time they boot up. From there, it can remain immune to detection and removal. Secure Boot uses public-key cryptography to block the loading of any code that isnt signed with a pre-approved digital signature.2018 calling for its BIOSSince 2016, Microsoft has required all Windows devices to include a strong trusted platform module that enforces Secure Boot. To this day organizations widely regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments.Microsoft has a much harder time requiring Secure Boot to be enforced on specialized devices, such as scientific instruments used inside research labs. As a result, gear used in some of the world's most sensitive environments still doesn't enforce it. On Tuesday, researchers from firmware security firm Eclypsium called out one of them: the Illumina iSeq 100, a DNA sequencer that's a staple at 23andMe and thousands of other gene-sequencing laboratories around the world.The iSeq 100 can boot from a Compatibility Support Mode so it works with older legacy systems, such as 32-bit OSes. When this is the case, the iSeq loads from BIOS B480AM12, a version that dates to 2018, and Windows 10 2016 LTSB. Both harbor years' worth of critical vulnerabilities that can be exploited to carry out the types of firmware attacks Secure Boot envisioned.Additionally, Eclypsium said, firmware Read/Write protections aren't enabled, meaning an attacker is free to modify the firmware on the device.Eclypsium wrote:It should be noted that our analysis was limited specifically to the iSeq 100 sequencer device. However, the issue is likely much more broad than this single model of device. Medical device manufacturers tend to focus on their unique area of expertise (e.g. gene sequencing) and rely on outside suppliers and services to build the underlying computing infrastructure of the device. In this case, the problems were tied to an OEM motherboard made by IEI Integration Corp. IEI develops a wide range of industrial computer products and maintains a dedicated line of business as an ODM for medical devices. As a result, it would be highly likely that these or similar issues could be found either in other medical or industrial devices that use IEI motherboards. This is a perfect example of how mistakes early in the supply chain can have far reaching impacts across many types of devices and vendors.In an email, Eclypsium CTO Alex Bazhaniuk wrote: "To be fair, with an OS that does not get the most recent security updates, there are plenty of risks and threats, not to mention how each IT organization manages their own assets on their network."He added: "Although we dont have additional examples in the land of DNA Sequencers, it is highly likely that Secure Boot is disabled on devices besides this one from Illumina. Many medical devices are built on off-the-shelf servers and older configurations which may not have Secure Boot enabled or are running outdated firmware, as in many cases it is very hard or impossible to update."Illumina representatives thanked Eclypsium for the research and said that the iSeq 100 follows best security practices. "We are following our standard processes and will notify impacted customers if any mitigations are required," they wrote. "Our initial evaluation indicates these issues are not high-risk."When Secure Boot was first dreamed up, the threat of BIOS-based rootkit was a theoretical risk based on plausible proof-of-concepts such as the ICLord BIOS kit from 2007. In 2011, such threats became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild. Real-world instances of other malware targeting the UEFI since then include the LoJax and MosaicRegressor firmware implants.The ability to create similar infections on one of the most widely used gene sequencers could be a golden opportunity for threat actors. Ransomware groups could use one to take out all devices in a given network. Researchers have also shown how malware can cause sequencers to report false relations between arbitrary users on GEDmatch.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 8 Comments