The sequencing instrument vulnerability highlights issues with firmware in the medical device industry.
Security researchers have discovered vulnerabilities in sequencing instruments, but the broader issue involves the entire device development process.
When highlighting vulnerabilities in widely used gene sequencing equipment, security researchers are further concerned about the potentially poor security conditions in the medical device industry. The development of hardware and firmware in this industry is often outsourced to external equipment manufacturers based on questionable support contracts.
This device is a compact sequencer widely used in medical laboratories around the world.
While investigating the device, researchers from the supply chain security company discovered vulnerabilities at the firmware level, as well as the absence of critical security features designed to prevent malicious firmware implantation.
The researchers wrote in a report: "We found that the firmware used is extremely outdated, employs a certain mode, and lacks secure boot or standard firmware write protection."
This will allow an attacker on the system to overwrite the system firmware, thereby 'bricking' the device or installing a firmware implant to achieve persistent attacker persistence.
Genetic Engineering Meets Reverse Engineering: The Vulnerabilities of Sequencers
However, the typical nature of the development process for such devices suggests that many other medical devices may also be at risk of encountering the same or similar issues—problems that frequently arise in the realm of IoT and embedded devices, whether in the medical field or elsewhere.
Typical Computer: Possesses typical legacy technology issues.
Apart from the custom casing, touchscreen interface, and other specialized peripherals used for sequencing, it doesn't differ much from a typical desktop computer.
The basic hardware includes a quad-core processor running, and.
This is not surprising because, like many medical device suppliers, they outsource hardware design and manufacturing to original design manufacturers (ODMs) — in this case, a company that develops various industrial and medical computer products.
制造了 内的主板,并且是驱动该设备的统一可扩展固件接口 () 固件的供应商。
It is a standardized specification for firmware in computer systems (equivalent to the modern version of), which includes low-level code responsible for initializing computer hardware before loading the operating system installed on the hard drive.
According to researchers, the firmware released in (date range from year to month to day) has known vulnerabilities. Computer and device manufacturers use implementations developed by a few independent suppliers (names), which they then configure and customize with their own code.
The vulnerabilities in the basic implementation may affect products from all manufacturers using this firmware. For example, an attack discovered in a certain year, named, impacted the basic implementations of all three major companies (Company A, Company B, and Company C) due to multiple vulnerabilities in their image parsing code.
As a result, most manufacturers had to release/update, but many old devices and motherboards remain permanently vulnerable because, despite these products being used longer in the real world, manufacturers only provide software support for a few years.
In the fields of the Internet of Things and embedded devices, this issue is even more severe, as dedicated real-time operating systems (RTOS) are very common in these areas.
These devices often contain firmware components developed by software companies decades ago, such as /stack, which no longer exist or have seen their intellectual property change hands multiple times over the years.
The industrial hardware supply chain is also affected by this issue. Without the provision of firmware updates, firmware security will become a difficult problem for end-users to resolve.
是 在 过时固件中检测到的漏洞之一,其他问题包括缺乏固件写保护、未启用安全启动以及操作系统在兼容支持模式 () 下启动。
The microcode typically included in is also outdated and susceptible to known side-channel data leakage vulnerabilities affecting Intel, such as BTI (Branch Target Injection) and MDS (Microarchitectural Data Sampling).
The spokesperson stated via email: Thank you for the report and our shared commitment to the principles of coordinated vulnerability disclosure.
We are following standard procedures and will notify affected customers if any mitigation measures are necessary. Our initial assessment indicates that these issues are not high-risk.
Committed to ensuring the safety of our products and the privacy of genomic data, we have established oversight and accountability processes, including best security practices for the development and deployment of our products. As part of this commitment, we have been continuously working to improve the way we provide security updates for field instruments.
Firmware protection is required to prevent implantation.
Since the firmware update is not blocked and the firmware lacks write protection in critical areas, an attacker with local administrator access to the operating system can easily inject malicious code into the firmware or completely rewrite the firmware, rendering the device inoperable.
The researchers wrote in the report: Given that the sequencer was recently found to have serious (remote code execution) vulnerabilities (--), this situation is not uncommon.
The issue affected multiple devices, leading to a secondary recall and medical consultations.
The vulnerability of the year has now been patched, but it is common for attackers to find another vulnerability or steal the device's credentials and exploit privilege escalation vulnerabilities in the system.
Sequencer operation, version, mainstream support ended in [year] [month], but extended support options will continue until [year] [month].
Secure boot is not enabled
This means that the code responsible for initiating the operating system (whether at the level or within the bootloader itself) has not undergone encrypted verification.
Therefore, malicious code may be injected into the boot process to control the operating system kernel, which is a type of malware attack known as (boot).
The starter kit has been used in the field for over a decade.
Examples include (), (), (), (), (), (), and ().
Signs of broader problems
Although the research only focused on [specific subject], the researchers believe that many medical devices may have similar firmware security issues, which originate from the hardware supply chain.
Medical device suppliers do not always manufacture the hardware themselves; instead, they focus on their core areas of expertise and outsource the remaining parts of the device development process to entities such as [and].
It is highly likely that many other manufacturers have adopted the same process. Once medical device manufacturers enter the research and development phase, they go to procure hardware and firmware solutions to accelerate time to market.
This process is similar to any other product transaction, where the manufacturer receives quotes for hardware/firmware and years of support—sometimes including free security updates, and sometimes not.
As far as we know, even [unspecified entity] provides updates within a certain period, but once a device exceeds a certain age, it becomes more difficult to release fixes or even generate repair codes.
Please remember that the design lifespan of industrial computer motherboards is much longer than that of the ordinary computing boards we are familiar with.
