In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect Windows devices against the threat of malware that could infect the BIOS and, later, its predecessor the UEFI, the firmware that loaded the operating system each time a computer booted up.
Firmware-dwelling malware raises the specter of malware that infects the devices before the operating system even loads, each time they boot up. From there, it can remain immune to detection and removal. Secure Boot uses public-key cryptography to block the loading of any code that isn’t signed with a pre-approved digital signature.
2018 calling for its BIOS
Since 2016, Microsoft has required all Windows devices to include a strong trusted platform module that enforces Secure Boot. To this day organizations widely regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments.
Microsoft has a much harder time requiring Secure Boot to be enforced on specialized devices, such as scientific instruments used inside research labs. As a result, gear used in some of the world’s most sensitive environments still doesn’t enforce it. On Tuesday, researchers from firmware security firm Eclypsium called out one of them: the Illumina iSeq 100, a DNA sequencer that’s a staple at 23andMe and thousands of other gene-sequencing laboratories around the world.
The iSeq 100 can boot from a Compatibility Support Mode so it works with older legacy systems, such as 32-bit OSes. When this is the case, the iSeq loads from BIOS B480AM12, a version that dates to 2018, and Windows 10 2016 LTSB. Both harbor years’ worth of critical vulnerabilities that can be exploited to carry out the types of firmware attacks Secure Boot envisioned.
Additionally, Eclypsium said, firmware Read/Write protections aren’t enabled, meaning an attacker is free to modify the firmware on the device.
Eclypsium wrote:
It should be noted that our analysis was limited specifically to the iSeq 100 sequencer device. However, the issue is likely much more broad than this single model of device. Medical device manufacturers tend to focus on their unique area of expertise (e.g. gene sequencing) and rely on outside suppliers and services to build the underlying computing infrastructure of the device. In this case, the problems were tied to an OEM motherboard made by IEI Integration Corp. IEI develops a wide range of industrial computer products and maintains a dedicated line of business as an ODM for medical devices. As a result, it would be highly likely that these or similar issues could be found either in other medical or industrial devices that use IEI motherboards. This is a perfect example of how mistakes early in the supply chain can have far reaching impacts across many types of devices and vendors.
In an email, Eclypsium CTO Alex Bazhaniuk wrote: “To be fair, with an OS that does not get the most recent security updates, there are plenty of risks and threats, not to mention how each IT organization manages their own assets on their network.”