The U.S. government has sounded the alarm about a critical software vulnerability found in genomics giant Illumina’s DNA sequencing devices, which hackers can exploit to modify or steal patients’ sensitive medical data.
In separate advisories released on Thursday, U.S. cybersecurity agency CISA and the U.S. Food and Drug Administration warned that the security flaw — tracked as CVE-2023-1968 with the maximum vulnerability severity rating of 10 out of 10 — allows hackers to remotely access an affected device over the internet without needing a password. If exploited, the bug could allow hackers to compromise devices to produce incorrect or altered results, or none at all.
The advisories also warn of a second vulnerability, tracked as CVE-2023-1966 with a lower severity rating of 7.4 out of 10. The bug could allow attackers to remotely upload and run malicious code at the operating system level, allowing them to alter settings and access sensitive data on the affected product.
The vulnerabilities affect Illumina’s iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq and NovaSeq products. These products, used worldwide in the healthcare sector, are designed for clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or research purposes.
Illumina spokesperson David McAlpine told TechCrunch that Illumina has “not received any reports indicating that a vulnerability has been exploited, nor do we have any evidence of any vulnerabilities being exploited.” McAlpine declined to say whether Illumina has the technical means to detect exploitation, or say how many devices are vulnerable to the flaws.
Illumina CEO Francis deSouza said in January that its installed base was more than 22,000 sequencers.
In a LinkedIn post, Illumina CTO Alex Aravanis said that the company discovered the vulnerability as part of routine efforts to assess its software for potential vulnerabilities and exposures.
“Upon identifying this vulnerability, our team worked diligently to develop mitigations to protect our instruments and customers,” Aravanis said. “We then contacted and worked in close partnership with regulators and customers to address the issue with a simple software update at no cost, requiring little to no downtime for most.”
News of the Illumina vulnerability comes after the FDA last month announced it will require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product. Device makers will have to submit a plan explaining how they plan to track and address vulnerabilities, and include a software bill of materials detailing every component in a device.