FDA: Critical Illumina Cybersecurity Vulnerability May Allow Threat Actors to Control Devices Remotely

May 03, 2023 - The US Food and Drug Administration (FDA) alerted healthcare providers and laboratory personnel of a cybersecurity vulnerability that impacts the Universal Copy Service (UCS) software in select Illumina medical devices.

It is important to note that at the time of publication, the FDA had not received any reports indicating that the vulnerability had been exploited.

The vulnerability impacts the Ilumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments, which are used for clinical diagnostic use in sequencing a person’s DNA or for research use.

The Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory regarding the vulnerability, identified as CVE-2023-1968, which received a CVSS score of 10.0. The critical vulnerability may allow an unauthenticated actor to “use UCS to listen on all IP addresses, including those capable of accepting remote communications,” CISA stated.

In addition, a second vulnerability, CVE-2023-1966, received a CVSS score of 7.4 and may allow unauthenticated actors to upload and execute code remotely, enabling them to change settings and configurations and potentially access sensitive data.

Illumina sent notifications to impacted customers in early April, urging them to check their devices for signs of exploitation. Illumina also developed a patch and issued a UCS Vulnerability Instructions Guide to help users mitigate the vulnerabilities based on their device’s specific configurations.

CISA also recommended that organizations isolate devices from business networks, ensure that control system devices are not accessible from the internet, and use security methods such as Virtual Private Networks (VPNs) to mitigate risk.

The FDA urged users to immediately download and install the patch and to contact the FDA if suspicious activity is detected.

“The FDA is working with Illumina and coordinating with the CISA to identify, communicate, and prevent adverse events related to this cybersecurity vulnerability,” the FDA stated. “The FDA will continue to keep health care providers and laboratory personnel informed if new or additional information becomes available.”