Dive Brief:
- The Department of Homeland Security has issued a cybersecurity alert about Illumina software that outlines several vulnerabilities, including three that received the top score on the department's risk scale.
- The Cybersecurity and Infrastructure Agency, which is a part of DHS, released the notice after learning of a problem with the Local Run Manager (LRM) software that could allow an attacker to take control remotely and alter the results generated by products including versions of the NextSeq and MiSeq sequencing instruments.
- The Food and Drug Administration posted a statement in conjunction with the DHS alert. The agency is advising users of LRM software to immediately download and run the patch developed by Illumina. “At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited,” the agency said in the June 2 statement.
Dive Insight:
LRM is Illumina’s software for “recording samples for a run, specifying run parameters, monitoring status, analyzing sequencing data, and viewing results.”
In May, Illumina flagged a problem with the software in letters to users of some of its in vitro diagnostic devices and research-use only instruments, according to the FDA notice, namely NextSeq 500, 550 and 550Dx, MiSeq and MiSeq Dx, iSeq 100 and MiniSeq. The letters disclosed a vulnerability that affects LRM.
Pentest, an information security consultant, discovered the vulnerability and told Illumina, which sent a report to CISA, according to the agency's alert. CISA shared details of several software vulnerabilities in an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advisory late last week.
The ICS-CERT advisory describes a weakness that scored 10 on the 10-point cybersecurity risk scale, reflecting the fact the vulnerability is exploitable remotely or with low attack complexity and could affect the results of diagnostic tests.
The FDA said an attacker could exploit the vulnerability by “impacting patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach.” Only two of the instruments, NextSeq 550Dx and MiSeq Dx, are authorized as IVDs but labs may use the other devices “with tests for clinical diagnostic use,” the FDA said.
Recognizing the risk, Illumina has developed a software patch to protect against the remote exploitation of the vulnerabilities. If an at-risk device lacks access to the internet, users should contact Illumina’s tech support team for information on how to install the patch. Illumina is also “actively working to provide a permanent software fix for current and future instruments,” according to the DHS.
In addition, Illumina is advising users to take certain defensive actions to minimize the risks. The list of proposed measures includes minimizing network exposure for all control system devices, and locating control system networks and remote devices behind firewalls.
The CISA alert outlined several other vulnerabilities such as one that can allow a malicious actor to upload outside the intended directory structure and another that can allow for the upload of any file type, including executable code that allows for remote exploitation. Both of these received scores of 10 as well.
The agency said another vulnerability is that the software does not implement authentication by default, which can allow a malicious actor to “inject, replay, modify, and/or intercept sensitive data.” This received a score of 9.1.