Destroying DNA Sequencers
I wrote this post to help think though some of the security issues around DNA Sequencers with Triassec (led by Gareth Highnam: gareth@triassec.com). If you’d like to discuss this further reach out to him (or me). Or chat on the Discord!
DNA sequencers are not security hardened instruments. We saw this most recently with multiple Illumina vulnerabilities that were widely reported. These cases appear to have been relatively simple account configuration issues. The attack surface of a DNA sequencer is far bigger than this, including integration with services hosted on the Internet and designed remote monitoring and configuration. However it’s unclear how much auditing is performed on instruments1.
So assuming you can get (remote) access to the software on a DNA sequencer… what are the worst things you can do to physically damage an instrument?2.
In this post I’m going to talk about the HiSeq X. This is an instrument I’ve disassembled and documented. It’s an older design and also not actually tried this, so thoughts are based on my understanding of the system rather than a practical demonstration.
Fluidics
Assuming we wanted to cause downtime what could be do with complete software access to the fluidics system. Here’s a basic overview of the fluidics:
The flowcell is held in place with a vacuum chuck, under software control. As such after the run has started the instrument could then release the flowcell from the chuck. In normal usage the instrument pulls reagents through the flowcell out into a waste bin. However in contains a separate pump on the input side used for priming reagents.
As such by setting valves appropriately reagents can be pulled into the priming pump and then out to the now disconnected flowcell port. This would result in reagents pouring into the sequencing instrument.
The flowcell is mounted on a number of sensitive components. A 3 axis kinematic count, a high precision linear Y stage and a stepper driven X stage. All these components could be damaged by vented reagents.
The corrosive reagents would then gather in the bottom of the instrument. The instrument would likely be rendered inoperable and require extensive disassembly which may not be practical to perform on site.
The total volume of fluid dispensed into the instrument may be increased if the waste bin is full and tubes are sitting in the waste. Syringe pumps run in reverse will then vent waste into the instrument.
With all available reagents vented into the instrument body we would proceed to attempt physical damage to components of the fluidic system. Valves of the priming pump can be closed such that this pump is pulling against vacuum. Repeated pulling against vacuum will eventually physically damage the valve.
Similarly, selection valves can be forced into continuous operation to reduce service life.
In a institute with 10s of instrument such an attack is likely to cause weeks to months of downtime.
Optics
The HiSeq X optical system contains two multi-watt (3?) lasers (532nm and 660nm). Before entering the rest of the optical system these lasers pass through filter wheels. There is likely little damage that can be caused to the optical components beyond this.
However, the filter wheels contain plastic interstitial regions between the filters. Rotating the filter wheel to this position and running the laser at full power it maybe possible to cause physical damage to these wheels. Exposure to lasers of this power for minutes should be sufficient. Beyond this, running or pulsing the laser, reconfiguration of the drive power or thermal limits, or other modifications to the laser platform (which is fully software reconfigurable) may destroy these $10000+ components.
Motion Control
With the stages now covered in corrosive reagents it would be wise to constantly run these to ensure the mechanical components are fully exposed. The linear stage is software tunable and can be configured to operate at currents and speeds outside its normal operating range. It therefore maybe possible to cause physical damage to the stage here.
Summary
The only components of the HiSeq X I don’t think it’s likely you can easily damage are the cameras, and some parts of the optical system (that is if the lasers don’t cause something to combust and cause smoke damage).
A hostile actor would probably want to perform the above outside of normal business hours to ensure that damage goes un-noticed. This shouldn’t be difficult as DNA sequencers are often left unattended overnight.
It would be interesting to run this through experiment on more recent instruments. The MiSeq flowcell sits in a clamp. Dislodging the flowcell here might not be possible… but perhaps there are more interesting ways to destroy the instrument3…
Subscribe for more ways to break sequencers in the future!
Illumina documents suggest that “ISO 27001–certified information security program is audited annually by independent third parties to certify that Illumina security controls meet the requirements of international standards”. However it’s not clear that pentesting instruments would be required.
This is a subset of a number of issues I’ve been thinking about, which include the following. If any of these might be interesting, reach out, and if there’s interest I’ll write about them in future posts:
Software Issues
Downtime and physical damage (this post)
Falsifying Results
Physical Access
DNA as an input validation attack vector
Sample contamination as an attack vector
Avoiding detection
The objective (Z-axis) appears to have software limits. Bypassing these might let us crash the objective into the flowcell? Or by moving the stage so the objective is over the clamp, smashing it repeatedly into the clamp? I suspect we can also increase power to the LEDs and pulse them to reduce their lifetime. We might be able to get the syringe pumps to pull against vacuum (seems likely that one of the positions on the valve is unused and sealed).