Critical BIOS/UEFI Vulnerabilities Allow Attackers To Overwrite System Firmware

Researchers discovered critical BIOS/UEFI vulnerabilities in the Illumina iSeq 100 DNA sequencer, where the device utilizes an outdated firmware implementation with CSM mode lacking essential security features like Secure Boot and firmware write protections.  

The vulnerability window allows attackers to exploit the system, potentially overwriting the firmware to either disable the device or install malicious code for persistent access. 

Due to the presence of potential embedded malware, backdoors, and the absence of security updates, the attack surface is increased by outdated firmware and complex supply chains. 

NIST guidelines for genomic information cybersecurity emphasize the crucial role of hardware and software security, recommending stringent configuration management and integrity checks for such systems to mitigate these risks.   

Over the past decade, attackers have increasingly targeted BIOS/UEFI firmware, exploiting supply chain vulnerabilities and compromising devices in the field which has led to a surge in firmware-based attacks, including ransomware. 

In response, technology vendors have implemented various security measures, such as secure boot, platform integrity checks, and remote attestation. 

While attackers have continued to adapt, leveraging sophisticated techniques like malicious firmware updates, bootkit infections, and hardware Trojans to circumvent these defenses. 

The iSeq 100 device exhibits several critical security vulnerabilities by utilizing Compatibility Support Mode (CSM) instead of the more secure UEFI, allowing it to boot legacy BIOS firmware and potentially introducing compatibility issues and security risks. 

It also runs on an outdated BIOS version with known vulnerabilities and lacks essential firmware protections. Read/Write protections are disabled, enabling attackers to freely modify the device’s firmware. 

The absence of Secure Boot makes it possible for malicious firmware modifications to go undetected, which significantly increases the risk of compromise.

Exploiting the Vulnerability

Exploiting the RCE vulnerability could grant attackers remote code execution, allowing them to modify firmware arbitrarily, which includes potentially bricking the device, a simpler attack than manipulating test results. 

Within its software guidance, the Food and Drug Administration (FDA) emphasizes the significance of securing all software on devices, including firmware. 

To address this, vendors must rigorously assess components from their suppliers and healthcare organizations need tools to evaluate the security of devices before deployment, which requires a shift towards comprehensive firmware security assessments to mitigate risks and ensure the integrity of medical devices.

Prior research has demonstrated the vulnerability of BIOS/UEFI in traditional devices, leading to successful exploitation by adversaries like Hacking Team, LoJax, and MosaicRegressor. 

According to the Eclypsium report, the trend extends to non-standard devices, with attackers targeting firmware in network, application, and IoT devices to gain initial access or maintain a persistent presence. 

The iSeq 100, a critical device in healthcare and research, is susceptible to similar attacks. Compromised firmware on the iSeq 100 could enable attackers to disrupt operations through device disablement, impacting critical research and potentially serving geopolitical or financial motives.   

As all subsequent software layers rely on the integrity of firmware, its compromise severely undermines overall device security.

Just as life scientists utilize tools to analyze DNA for vulnerabilities, IT and security teams necessitate specialized tools to assess the fundamental firmware code for potential weaknesses, ensuring the robust security of the underlying technology.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free