Running an obsolete OS, on obsolete hardware, configured with obsolete  settings.

IEI-IEI, Oh.

What’s the craic? Ravie Lakshmanan reports: Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers

“Secure Boot”
Cybersecurity researchers have uncovered firmware security vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument that [permits] attackers to brick or plant persistent malware on susceptible devices. [It] boots to an old version of BIOS … that has known vulnerabilities.
…
Absent are protections to tell the hardware where it can read and write firmware, thereby allowing an attacker to modify device firmware. Also not enabled is Secure Boot, thereby allowing malicious changes to the firmware to go undetected. … Similar issues may be present in other medical or industrial devices owing to the fact that the problems have been traced back to a … motherboard made by IEI Integration Corp.

What’s the threat? Ionut Ilascu indicates it: BIOS flaws expose iSeq DNA sequencers to bootkit attacks

“Exactly what ransomware actors are after”
The Illumina iSeq 100 is advertised as a DNA sequencing system that medical and research labs can use to deliver “rapid and cost-effective genetic analysis.” Firmware security company Eclypsium … identified five major issues that allowed the exploitation of nine vulnerabilities with high and medium severity scores, one as old as 2017. … The iSeq 100 device was also vulnerable to LogoFAIL, Spectre 2, and Microarchitectural Data Sampling (MDS) attacks.
…
[The] researchers warn that a threat actor that can overwrite the firmware on iSeq 100 could “easily disable the device.” Disrupting the business by taking out high-value systems is exactly what ransomware actors are after.

Horse’s mouth? Chris Garland: Genetic Engineering Meets Reverse Engineering

“A perfect example”
We found that the Illumina iSeq 100 used a very outdated implementation of BIOS firmware. … This would allow an attacker on the system to overwrite the system firmware to either “brick” the device or install a firmware implant for ongoing attacker persistence. Instances like this … pose significant supply chain security risks due to the potential for embedded malware or backdoors.
…
Supply chain complexity exacerbates the risks of commodity hardware re-use by increasing the number of touchpoints and opportunities for vulnerabilities. … State-based attackers and ransomware operators have pivoted en masse to target firmware both in the supply chain as well as devices already in the field. … These devices [are] a ripe target for state-based actors with geopolitical motives in addition to the more traditional financial motives of ransomware actors.
…
The issue is likely much more broad than this single model of device. … It would be highly likely that these or similar issues could be found either in other medical or industrial devices that use IEI motherboards. This is a perfect example of how mistakes early in the supply chain can have far reaching impacts across many types of devices and vendors.

Yikes. Why are they ignoring NIST infosec guidelines? Mad Klingon argues there’s a regulatory battle going on:

The certification process for a piece of medical / lab equipment can take years. Once certified, mfgs are reluctant to change anything that might trigger a recertification process. This includes things that … seem simple—like BIOS updates. [It] could easily cost millions.
…
Little reason such equipment needs connecting to the Internet or even main corporate network. But they often are, because the S in bio-lab stands for security.

Aye, there’s the rub: Keep them off the internet! Gilgaron shows us the scale of the problem:

This is pretty universal for lab and hospital hardware and software, for certain classes of equipment there isn’t anything for sale that runs on anything newer than WinXP and the expectation is you aren’t going to put it on an unsecured network or give it internet access. I’m not saying it is a good thing, but it isn’t really unique to sequencers.

And the threat isn’t only ransomware. Terr_ imagines thuswise:

Fake DNA test results as a service. Exonerate your friends, frame your enemies.

And it’s not only DNA sequencers. As Rindan reminds us:

Don’t walk away thinking that this is just a random problem with a DNA sequencing machine. This is a problem with many (most?) pieces of expensive and highly specialized equipment across many industries. … The more expensive the piece of equipment, the bigger of a problem it is—because expensive pieces of equipment tend to be long lived.

Such as? OldMugwump exemplifies:

An x-ray machine that could kill a patient needs ways to be sure it can’t do that. … The real problem is the one-size-fits-all and gotta-cover-regulators’-*** attitude of the FDA.

Meanwhile, Fred Duck has a hankering for for a plate of Otik’s Spiced Potatoes: [You’re fired—Ed.]

Despite that, I will still trust the results stating that I’m related to Riva Silvercrown.

And Finally:

The triumphant return of “Robin Cooper”—wasting a scammer’s time

Hat tip: Ambegris

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Xihao Liu (via Unsplash; leveled and cropped)