In a World’s First, Scientists Successfully Hack a Computer Using Malware Encoded DNA
Mad scientists have successfully infected a computer with a malicious program coded in a DNA strand. You might ask, "uh, why'd you do that?!" The developers argue that an attacker could use it to hack any computer in the DNA sequencing pipeline. What is a DNA sequencing pipeline?
DNA sequencing pipeline includes any facility that accepts DNA samples for computer-based gene sequencing and processing, and an attacker could tamper with forensic evidence (and do much much more) if they are able to inject malicious DNA. "We analyzed the computer security practices of commonly used, open-source programs in this pipeline and found that they did not follow computer security best practices," the research team writes. "Many were written in programming languages known to routinely contain security problems, and we found early indicators of security problems and vulnerable code."
The research team at the University of Washington's Paul Allen School of Computer Science & Engineering argues that these bioinformatics tools have faced little to no adversarial pressure. However, they should be prepared before these attack vectors are adopted by the criminal community.
How this sci-fi, DNA hack works
DNA stores its basic structural units as letters A, C, G, and T, with two strands that are held together by bonds between these four types of bases. After sequencing, this DNA data is processed and analyzed by computer programs. While any data that is input in a computer could contain malicious code, this is probably the first time that malware has been encoded in DNA strands.
We demonstrate, for the first time, the synthesis of DNA which - when sequenced and processed - gives an attacker arbitrary remote code execution. [...]
After sequencing, we observed information leakage in our data due to sample bleeding. While this phenomena is known to the sequencing community, we provide the first discussion of how this leakage channel could be used adversarially to inject data or reveal sensitive information.
To make this DNA hack work, the research team included a known security vulnerability in a DNA processing program and also designed a synthetic DNA strand carrying malicious code. To make this malware, the team translated a computer command into a short stretch of 176 DNA letters (A, G, C, and T). Ordering synthetic DNA from a vendor for just $89, they fed these modified strands to a sequencing machine, which read the letters and stored them as binary digits 0s and 1s.
"When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing," the researchers write. "That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA."
While they did set the right conditions for the exploit to work, including turning off the exploit mitigation features, they were eventually able to gain full control over the target computer.
When asked by Devin Coldewey of TechCrunch if such a malicious payload could be "delivered via, for example, a doctored blood sample or even directly from a person’s body?" The researchers responded in a worrying yes. “A doctored biological sample could indeed be used as a vector for malicious DNA to get processed downstream after sequencing and be executed."
“However, getting the malicious DNA strand from a doctored sample into the sequencer is very difficult with many technical challenges. Even if you were successfully able to get it into the sequencer for sequencing, it might not be in any usable shape (it might be too fragmented to be read usefully, for example).”
While creating sensational headlines, the team of "biohackers" also added that there is no immediate concern of such an attack happening as the possibility of a DNA hack remains theoretical. "We have no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack."
The team, however, warns that hackers could use the more typical hacking methods to target genetic data, mainly because these facilities aren't secured properly - reminds you of some recent hospital "takeovers"?
Not an immediate threat, but latest successful DNA hack proves that biologists just don't have to worry about creating or spreading a dangerous stretch of genetic code that could result in an infectious disease. They also have to worry about tampered DNA attacking not only humans but computers as well.
"That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing," Tadayoshi Kohno, the University of Washington computer science professor who led the project said. "It’s about considering a different class of threat."
If criminal hackers do manage to pull off these attacks, they could potentially use fake blood and spit samples to gain access to ongoing police investigations, steal information, tamper with forensic evidence, and taint code of genetically modified products. Let's not even go to that whole bio-cyber-weapon theory...