Security researchers have uncovered vulnerabilities in sequencing instruments, but the broader issue involves the entire device development process. While highlighting vulnerabilities in widely used gene sequencing equipment, security researchers are further concerned about the potentially poor security situation in the medical device industry, where hardware and firmware development is often outsourced to external manufacturers based on questionable support contracts.

This device is a compact sequencer widely used in medical laboratories around the world. During the investigation of this device, researchers from the supply chain security company discovered vulnerabilities at the firmware level, as well as the absence of critical security features designed to prevent malicious firmware implantation.

The researchers wrote in a report: "We found that the firmware used is severely outdated, employs a certain mode, and lacks secure boot or standard firmware write protection. This would allow an attacker on the system to overwrite the system firmware, thereby 'bricking' the device or installing a firmware implant to achieve persistent attacker persistence."

基因工程遇上逆向工程：DNA 测序仪的易受攻击的 BIOS https://eclypsium.com/blog/genetic-engineering-meets-reverse-engineering-dna-sequencers-vulnerable-bios/

However, the typical nature of the development process for such devices suggests that many other medical devices may also be at risk of encountering the same or similar issues—problems that frequently arise in the realm of IoT and embedded devices, whether in the medical field or elsewhere.

A typical computer: It has typical legacy technology issues. Apart from custom casings, touchscreen interfaces, and other custom peripherals used for sequencing, it does not differ much from a typical desktop computer. Its basic hardware includes a quad-core processor running on a specific operating system, along with other standard components.

This is not surprising because, like many medical device suppliers, they outsource hardware design and manufacturing to an Original Design Manufacturer (ODM) — in this case, a company that develops various industrial and medical computer products. The ODM manufactures the motherboard inside the device and is also the supplier of the Unified Extensible Firmware Interface (UEFI) firmware that drives the device.

It is a standardized specification for firmware in computer systems (equivalent to a modern version of ), which includes low-level code responsible for initializing computer hardware before loading the operating system installed on the hard drive. According to researchers from , the firmware within ( – ) released in contains known vulnerabilities.

Computer and device manufacturers utilize implementations developed by a small number of independent suppliers, which they then configure and customize with their own code. Vulnerabilities in the basic implementation of the firmware can potentially affect the products of all manufacturers using that firmware.

For example, an attack discovered in a certain year, named, affected the fundamental implementations of all three major systems (, , and ) due to multiple vulnerabilities in their image parsing code. As a result, most manufacturers had to release updates or patches, but many older devices and motherboards remain permanently vulnerable because, despite their longer real-world usage, manufacturers only provide software support for a few years.

In the realm of IoT and embedded devices, this issue is even more pronounced due to the prevalence of dedicated real-time operating systems (RTOS) in these areas. Firmware components developed decades ago by software companies, such as / stacks, are often found in these devices. These companies may no longer exist, or their intellectual property may have changed hands multiple times over the years. The industrial hardware supply chain is also affected by this problem, and without firmware updates, firmware security becomes a difficult issue for end-users to resolve.

One of the vulnerabilities detected in outdated firmware includes the lack of firmware write protection, failure to enable secure boot, and the operating system starting in compatibility support mode (). The microcode typically included in is also outdated and susceptible to known side-channel data leakage vulnerabilities affecting Intel, such as (Branch Target Injection) and and (Microarchitectural Data Sampling).

The spokesperson stated via email: Thank you for the report and our shared commitment to the principles of coordinated vulnerability disclosure. We are following standard procedures and will notify affected customers if any mitigation measures are necessary. Our initial assessment indicates that these issues are not high risk. Committed to ensuring the security of our products and the privacy of genomic data, we have established oversight and accountability processes, including best security practices for our product development and deployment. As part of this commitment, we have been working to improve the way we provide security updates for field instruments.

Firmware protection is required to prevent implantation. Since firmware updates are not blocked and the firmware lacks write protection for critical areas, an attacker with local administrator access to the operating system can easily inject malicious code into the firmware or completely rewrite the firmware, rendering the device inoperable.

The researchers wrote in the report: Given that the sequencer was recently found to have serious (remote code execution) vulnerabilities (--), this situation is not uncommon. The issue affected multiple devices, leading to a secondary recall and medical consultations. The vulnerabilities from the year have now been patched, but it is common for attackers to find another vulnerability or steal device credentials and exploit privilege escalation vulnerabilities in the system.

Sequencer operation, version, mainstream support ended in [year] [month], but extended support options will continue until [year] [month]. Not enabling secure boot means that the code responsible for starting the operating system (whether at the [level] or the boot loader itself) has not been encrypted and verified. Therefore, malicious code could be injected into the startup process to control the operating system kernel, a type of malware attack known as (boot).

The starter kit has been used in the field for over a decade. Examples include (), (), (), (), (), (), and ().

Signs of Broader Issues Although the study focused solely on [specific subject], researchers believe that many medical devices may have similar firmware security issues, which stem from the hardware supply chain. Medical device suppliers do not always manufacture the hardware themselves; instead, they concentrate on their core areas of expertise and outsource the rest of the device development process to [specific companies or entities] and others.

Many other manufacturers are likely to have adopted the same process. Once medical device manufacturers enter the research and development phase, they go to procure hardware and firmware solutions to expedite time-to-market. This process is similar to any other product transaction, where manufacturers receive quotes for hardware/firmware and years of support—sometimes including free security updates, and sometimes not.

As far as we know, even they provide updates within a certain period, but once a device exceeds a certain age, it becomes more difficult to release fixes or even generate repair codes. Keep in mind that the design lifespan of industrial computer motherboards is much longer than that of the ordinary computing boards we are familiar with.