CISA Issues Warning on Critical Vulnerabilities Found in Illumina’s DNA Sequencing Devices

Published by Ari Denial on May 2, 2023

An Industrial Control Systems (ICS) medical advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) regarding a severe vulnerability affecting medical devices manufactured by Illumina.

In a warning issued, the Cybersecurity and Infrastructure Security Agency (CISA) has cautioned that Illumina’s medical devices contain a severe vulnerability that could enable an unauthorized individual to upload and execute code at the operating system level remotely.

This could potentially lead to unauthorized access to sensitive data, manipulation of settings, configurations, and software. Illumina, a California-based medical technology firm that specializes in developing and producing advanced bioanalysis and DNA sequencing machines, has its devices utilized for DNA sequencing in various settings, such as clinical, research, academic, biotech, and pharmaceutical environments across 140 countries.

The FDA has issued an advisory stating that Illumina has notified its affected customers to check their medical devices for any indication of exploitation of the recently discovered vulnerabilities.

One of the vulnerabilities (CVE-2023-1968) is deemed critical and could enable remote attackers to bind to exposed IP addresses, potentially leading to unauthorized access to network traffic and finding more vulnerable hosts within the network.

Additionally, some of these devices, which can operate in either clinical diagnostic mode or RUO mode, have been labeled “For Research Use Only. Not for use in diagnostic procedures.” Some labs may utilize them for clinical diagnostic purposes, despite being intended for research use only.

Illumina has identified two vulnerabilities in its software, with the first flaw allowing for modification of settings, sending of commands, and possible unauthorized data access. The second flaw permits UCS users to execute commands with heightened privileges.

Devices and software versions not listed are unaffected by these vulnerabilities. Illumina has released a bulletin detailing the necessary steps to be taken based on the product and system configuration.

To address the vulnerabilities in Illumina’s medical devices, recommended actions include updating system software using product-specific installers, configuring UCS account credentials, and closing firewall ports.

Additionally, CISA advises users to minimize control system exposure to the internet, using firewalls to isolate them from the wider network and employing VPNs for remote access.