Scientists Hack a Computer Using DNA

UW researchers demonstrate how evildoers could eventually hack into DNA data

UW researchers demonstrate how evildoers could eventually hack into DNA data

That code could then remotely give full control of the computer to attackers. This week security researchers detailed how they were able to hack software using DNA that has been injected with malware.

In the study, which will be presented August 17 in Vancouver, B.C., at the 26th USENIX Security Symposium, the team also demonstrated for the first time that it is possible - though still challenging - to compromise a computer system with a malicious computer code stored in synthetic DNA.

In July, researchers from Harvard University revealed the first film stored in bacterial DNA.

DNA sequencing tools lack robust protections against cybersecurity risks. This is the first time that such a vector of attack has been demonstrated to work on a computer. When the DNA is sequenced, it is processed and analyzed by multiple computer programs, which is called the DNA data processing pipeline.

The researchers also managed to hide malicious code in synthetic DNA, which turned into executable malware when the DNA was analysed by a computer. According to the researchers, numerous programs used to sequence and analyze DNA are incredible insecure, leaving them open to attacks.

Therefore they urged the DNA sequencing community to follow secure software best practices when coding bioinformatics software, especially if it is used for commercial or sensitive purposes, and to think about other protections that could neuter such attacks (e.g. application isolation).

They also wanted to reassure the general populace that there is no evidence to believe that the security of DNA sequencing or DNA data in general is now under attack. As DNA sequencing companies like 23andMe become more popular, this opens up the threat of hackers stealing the private medical information of millions of people. They started their security analyses from the first step of the DNA processing, i.e., DNA strands in a tube. Wet labs as a service, in which non-experts can use lab techniques, could also increase the possibility of attack.

Threats from DNA strands being sequenced and used as a vector for computer attacks have not been under consideration up until now, researchers argue.

"We don't want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information", says Allen School associate professor Luis Ceze.

Given the nature of the data typically handled, this could be a major issue in future - as the molecular and electronic worlds grow ever-closer, potential interactions between the two loom on the horizon, which no one has hitherto contemplated.

The new DNA malware will be presented next week at the Usenix Security Symposium in Vancouver.

Researchers say that some DNA sequencing programs have been developed by specific research communities so it would be hard for attackers to take advantage of these programs, but theoretically it is possible. "In particular, we encourage the wide adoption of security best practices like the use of memory safe languages or bounds checking at buffers, input sanitization, and regular security audits", the researchers said in a FAQ. The team will present the results of its experiments, conducted in late 2016 and 2017, at a security symposium in Vancouver, British Columbia, Canada, on August 17.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.