US researchers embed malware into DNA, in order to hack DNA sequencing software. But it won’t be a threat for a while to come
Cybersecurity researchers at the University of Washington have been able to infect a computer with malware coded into a strand of DNA.
While the experts believe bio-malware is not a likely threat vector at the moment, it could be in the years ahead.
This is because security protocols surrounding DNA transcription and analysis “can be inadequate, and vulnerabilities have been discovered in the open-source software used in labs around the world.”
The researchers point out that there has been rapid improvement in the cost and time necessary to sequence and analyse DNA.
For example, in the past ten years the cost to sequence a human genome has decreased 100,000 fold or more, the researchers said.
This performance increase has been achieved thanks to parallel processing, and has resulted in a raft of new DNA services being offered to the general public, such as personalised medicine, ancestry research, and even the study of the microorganisms that live in a person’s gut.
Of course, computers are needed to process, analyse, and store the billions of DNA bases that can be sequenced from a single DNA sample.
And where there is a computer, there is a security risk.
The researchers in their study found that DNA sequencers (scientific instrument used to automate the DNA sequencing process) often fail to follow best practices in computer security, and the researchers were therefore able to encode malware in DNA sequences.
“After DNA is sequenced, it is usually processed and analysed by a number of computer programs through what is called the DNA data processing pipeline,” wrote the researchers.
“We analysed the computer security practices of commonly used, open-source programs in this pipeline and found that they did not follow computer security best practices. Many were written in programming languages known to routinely contain security problems, and we found early indicators of security problems and vulnerable code.”
The researchers were then able to produce DNA strands containing malicious computer code that, if sequenced and analysed, could compromise a computer.
“To assess whether this is theoretically possible, we included a known security vulnerability in a DNA processing program that is similar to what we found in our earlier security analysis,” they continued.
“We then designed and created a synthetic DNA strand that contained malicious computer code encoded in the bases of the DNA strand,” they wrote. “When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing. That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA.”
No Panic – For Now
But the researchers also sought to reassure the general public, saying that at present there is no cause for alarm about present-day threats.
“We have no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack,” they said. “Instead, we view these results as a first step toward thinking about computer security in the DNA sequencing ecosystem.”
However, they did urge the DNA sequencing community to proactively address computer security risks before any adversaries manifest.
In 2015 a study by Australian telecommunications company Telstra found that most younger UK consumers would consider providing a DNA sample when choosing a bank, in order to improve the security of remote banking access.