The Cybersecuirty and Infrastructure Agency, a component of the DHS, has issued a cybersecurity alert regarding Illumina software and its multiple vulnerabilities. The Local Run Manager program provides a complete solution for collecting samples for a run, selecting run parameters, keeping track of progress, examining sequencing data, and reviewing outcomes.
The vulnerabilities were identified by Pentest, an information security consultant, who found the softwares diagnostic devices and research-use only instruments were susceptible to security threats. The instruments named included NextSeq 500, 550 and 550Dx, MiSeq and MiSeq Dx, iSeq 100 and MiniSeq. Amongst these devices, Pentest found that an unauthorized malicious third party can gain access to the devices’ operating systems and change settings, software, or access sensitive information on each of the devices. The software included an improper limitation of a pathname to a restricted directory, which will allow attacks to transfer data outside the intended directory system. In addition, the Local Run Manager software did not confine the types of files that could be uploaded to the devices. Third parties have the opportunity to upload code that allows for exploitation. Finally, the software does not implement the necessary access controls and encryption to ensure the security of the sensitive data they maintain.
The problem was identified by Pentest, an information security consultant, who reported the vulnerabilities to Illumina. Subsequently, the report was then made to CISA who alerted the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The ICS-CERT calculated 3 of the vulnerabilities as 10 out of 10 on the cybersecurity risk scale. Attacks of low complexity are capable of affecting the devices performance and outcomes. CISA has recommended users of the Local Run Manager to implement several defensive practices to limit the risk of harm as a result of the vulnerabilities. CISA advises users to reduce network exposure for control device systems, to assure all control system devices are not accessible through the internet. CISA advises users to establish firewalls for control system networks and to use secure methods, like VPNs, when remote access is necessary.
Illumina has developed an update to the Local Run Manager software to improve its protection against unauthenticated third parties remote exploitation of the vulnerabilities. The organization has maintained that they will continue to develop a long-lasting software solution for both existing and future equipment to prevent further attacks and to minimize potential harm.