The fact that Secure Boot is not enabled means the code responsible for booting the operating system, both at the UEFI level and the Windows bootloader itself, are not cryptographically verified. As such, malicious code could be injected into the boot process to take control of the OS kernel, a malware attack known as a bootkit (boot rootkit).
UEFI bootkits have been used in the wild for over a decade. Examples include LoJax (2018), MosaicRegressor (2020), FinSpy (2021), ESPecter (2021), MoonBounce (2022), CosmicStrand (2022), and BlackLotus (2023).
Sign of a broader issue
While Eclypsium’s research looked only at the Illumina iSeq 100, the researchers believe many medical devices likely suffer from similar firmware security issues inherited from the hardware supply chain. Medical device vendors don’t always manufacture their device hardware themselves, instead focusing on their core area of expertise and outsourcing the rest of the device development process to ODMs and IBVs, for example.
