The US government, through the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA), has issued public notifications to healthcare providers and lab personnel regarding serious vulnerabilities in a component used by several Illumina medical devices that could enable remote hacking. The component in question is the Universal Copy Service (UCS), which is used by a number of Illumina's genetic sequencing instruments. The vendor has released patches and mitigations and has also published its own advisory to inform customers about the necessary steps to prevent potential exploitation.
The FDA has stated that it is not aware of any attacks exploiting these vulnerabilities in the wild. However, it warned that a hacker could exploit them to remotely take control of a device or to alter configurations, settings, software, or data on the device or the user's network. Additionally, the FDA cautioned that exploitation of the vulnerabilities could impact "genomic data results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results, incorrect results, altered results, or a potential data breach."
CISA's advisory highlights that the Illumina Universal Copy Service is affected by a critical vulnerability, tracked as CVE-2023-1968, which is related to binding to an unrestricted IP. This vulnerability can allow an unauthenticated attacker to abuse the component to listen on all IPs, including ones that accept remote connections. The second flaw, CVE-2023-1966, is related to unnecessary privileges that can allow an unauthenticated hacker to remotely upload and execute code at the OS level.
The affected products include Illumina's iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq. These devices are used globally in the healthcare sector for clinical diagnostic use in sequencing a person's DNA for various genetic conditions or for research purposes. The FDA stated, "On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability." Similar notifications were issued last year by CISA and the FDA over different vulnerabilities affecting Illumina genetic analysis devices.
The FDA recently announced that it will require medical device makers to meet specific cybersecurity requirements when submitting an application for a new product. This comes as a response to the increasing number of vulnerabilities discovered in medical devices, which could potentially expose patient information or lead to other serious consequences.