A significant vulnerability in Illumina gene sequencing software puts a spotlight on the need to bolster cybersecurity in the medical industry.
Both CISA and the FDA have released an urgent call to notify the public about two vulnerabilities discovered in Illumina’s Universal Copy Service (UCS), used for DNA sequencing in clinical settings and medical institutions in over 100 countries.
“An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product,” warns a CISA advisory released yesterday.
California-based medical technology company, Illumina, is behind the gene sequencing technology software, used widely across the world in clinical and research settings.
Security issues in DNA sequencing pose very specific risks, explains Josh Corman, vice president of cyber safety strategy at Claroty.
In his words, “Anything that touches DNA — yes, it’s a privacy concern — but also think about digital forensics or think about custom cancer treatments, right?” he says. “If you could taint evidence for a crime, if you could mess with someone’s treatment, if you cast doubt on a particular device manufacturer — this is an integrity attack to me, not so much just attacking the availability of the device or using it as a jumping off point for ransomware.”
“On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability,” reads an advisory by the FDA.
“Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled “For Research Use Only. Not for use in diagnostic procedures.” – though some laboratories may be using them with tests for clinical diagnostic use.”