The US government has sounded the alarm about a critical software vulnerability found in genomics giant Illumina’s DNA sequencing devices, which hackers can exploit to modify or steal patients’ sensitive medical data.
In separate notices published Thursday, US Cybersecurity Agency CISA and the US Food and Drug Administration warned that the security flaw, tracked as CVE-2023-1968 with the maximum vulnerability severity rating of 10 out of 10, allows hackers to remotely access an affected device over the Internet without requiring a password. If exploited, the bug could allow hackers to compromise devices to produce incorrect or tampered output, or none at all.
The advisories also warn of a second vulnerability, tracked as CVE-2023-1966 with a lower severity rating of 7.4 out of 10. The bug could allow attackers to remotely upload and execute malicious code at the operating system level, allowing them to alter the settings. and access sensitive data about the affected product.
The vulnerabilities affect Illumina iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq products. These products, used worldwide in the healthcare sector, are designed for clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or for research purposes.
Illumina spokesman David McAlpine told TechCrunch that Illumina “has not received any reports indicating that a vulnerability has been exploited, nor do we have any evidence that any vulnerability has been exploited.” McAlpine declined to say whether Illumina has the technical means to detect the exploit, or say how many devices are vulnerable to flaws.
Illumina CEO Francis de Souza saying in January that its installed base was more than 22,000 sequencers.
In a LinkedIn postIllumina CTO Alex Aravanis said the company discovered the vulnerability as part of routine efforts to test its software for potential vulnerabilities and exposures.
“Upon identifying this vulnerability, our team worked diligently to develop mitigations to protect our instruments and clients,” said Aravanis. “We then contacted and worked closely with regulators and customers to address the issue with a simple software upgrade at no cost, which requires little to no downtime for most.”
News of the Illumina vulnerability comes after the FDA last month announced that it will require manufacturers of medical devices to meet specific cybersecurity requirements when submitting an application for a new product. Device manufacturers will need to submit a plan that explains how they plan to track and address vulnerabilities, and include a software bill of materials detailing each component in a device.
—————————————————-
Source link