FDA, CISA warn of cybersecurity vulnerabilities affecting Illumina Universal Copy Service

FDA, CISA warn of cybersecurity vulnerabilities affecting Illumina Universal Copy Service

The U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) and the Cybersecurity Infrastructure Security Agency (CISA) have published separate advisories regarding a remotely exploitable, low-complexity attack vulnerability in Illumina Universal Copy Service (UCS) equipment, which is deployed globally by the healthcare and public health sector. The two security vulnerabilities can lead to binding to an unrestricted IP address and execution with unnecessary privileges.

The FDA disclosed that software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments had been affected. These instruments are medical devices that may be specified either for clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or for research use only (RUO).

The agency added that an unauthorized user could exploit the vulnerability by taking control remotely, altering settings, configurations, software, or data on the instrument or a customer’s network, or impacting genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach.

“At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited,” the FDA wrote in a letter to healthcare providers. “Illumina developed a software patch to protect against the exploitation of this vulnerability. The FDA wants health care providers and laboratory personnel to be aware of the required actions to mitigate these cybersecurity risks.”

FDA said earlier this month, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability. “Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled ‘For Research Use Only. Not for use in diagnostic procedures’ – though some laboratories may be using them with tests for clinical diagnostic use,” the agency added.

Illumina developed a software patch to protect against the exploitation of this vulnerability, according to the FDA. “At this time, the FDA and Illumina have not received any reports indicating this vulnerability has been exploited.”

The FDA is working with Illumina and coordinating with the CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability. The FDA will continue to keep healthcare providers and laboratory personnel informed if new or additional information becomes available.

In terms of mitigation actions, the FDA has called upon users to report any adverse events or suspected adverse events experienced with Illumina’s next generation sequencing instruments. Device manufacturers and user facilities must comply with the applicable Medical Device Reporting (MDR) regulations, and healthcare personnel employed by facilities that are subject to the FDA’s user facility reporting requirements should follow the reporting procedures established by their facilities.

In its advisory, the CISA outlined that “successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network.”

CISA said that instruments with Illumina Universal Copy Service v2.x are vulnerable due to binding to an unrestricted IP address. “An unauthenticated malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remote communications,” it added.

“Instruments with Illumina Universal Copy Service v1.x and v2.x contain an unnecessary privileges vulnerability,” the CISA said. “An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product.”

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should minimize network exposure for all control system devices and/or systems, ensure they are not accessible from the Internet, and locate control system networks and remote devices behind firewalls and isolate them from business networks.

The agency added that when remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

Furthermore, CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

In its advisory to healthcare organizations, NHS Digital wrote that “the vulnerability classified as CVE-2023-1968 has been assigned a CVSS v3 base score of 10.0, and involves binding to unrestricted IP addresses.  An unauthenticated attacker could use this vulnerability to listen on all IP addresses, including those capable of accepting remote communications,” it added. 

The second vulnerability, classified as CVE-2023-1966, involves unnecessary privileges being in place on devices operating Illumina Universal Copy Service v1.x and v2.x, the NHS advisory added. “An unauthenticated attacker could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product.”

This is not the first time that the CISA and FDA are warning of cybersecurity vulnerabilities in software of Illumina DNA sequencing offerings. Last June, CISA warned of multiple vulnerabilities in Illumina Local Run Manager software, while the FDA informed laboratory personnel and healthcare providers about the cybersecurity vulnerability that affects software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next-generation sequencing instruments.

In March, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the HHS published a guide to help the public and private healthcare sectors align their cybersecurity programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). 

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related