Researchers at the University of Washington in Seattle have designed what is believed to be the first known sample of DNA malware.
The researchers crafted a synthetic DNA strand to attack a vulnerable version of software used in gene sequencing to highlight traditional computer security risks transferring to biological research through new attack vectors.
The recent Petya and Wannacry ransomware outbreaks demonstrated conventional avenues to attack computers used by big industry, including pharmaceutical firms, shipping companies and other industries.
But instead of using a software supply chain to hit Windows machines, attackers could theoretically use specially crafted DNA strands to target software programs used for DNA sequencing.
To prove the point, the researchers inserted a known bug into FASTQ, an open source program used to compress DNA sequences. They then encoded a exploit into a synthetic DNA strand designed to attack the flaw and the system it operated on.
The researchers claim they were able to “remotely exploit and gain full control over a computer using adversarial synthetic DNA”.
A real-world attack like this could have dire consequences for computing equipment at organizations in "the DNA sequencing pipeline". These include universities, gene research institutes, and cloud companies, such as Microsoft, Google or Amazon, which provide compute power for genomic processing.
Equally troubling, it could also compromise tasks that depend on gene analysis, such as forensic investigations that use DNA.
They argue the attack could be leveled against any facility that accepts DNA samples for computer-based gene sequencing and processing. For example, if an attacker knew DNA samples will be sequenced on a computer they contaminate blood and saliva samples with a specially crafted synthetic gene.
“DNA data storage services are an indirect means of DNA-based code injection; the attacker would provide digital data to be written that would be encoded and synthesized into DNA and later sequenced when read,” they warn.
For now, the threat of DNA encoded with computer malware is theoretical. The researchers note there are no known examples of such an attack. A key caveat to their specific attack is that they disabled ASLR, an exploit mitigation technology used in all major operating systems. Essentially, they rigged the attack for a successful compromise.
Nonetheless, they did prove a DNA strand could be used to hack hardware. They also warn there are many “easy” avenues to attack DNA sequencing hardware.
For example, they point out that there is nothing stopping a member of one of several major DNA research institutes from submitting a malicious sequencing file.
Also, bioinformatics software presents a soft target for hackers, since it generally isn’t hardened to software attacks, while patching may be difficult as most software isn’t managed from a central code repository.
In the end though, preventing DNA malware comes back to secure software development and computer hygiene, albeit with the additional consideration that a DNA strand could be used to attack specific computer equipment.
“We again stress that there is no cause for people to be alarmed today, but we also encourage the DNA sequencing community to proactively address computer security risks before any adversaries manifest. That said, it is time to improve the state of DNA security,” they write.
"We encourage the DNA sequencing community to follow secure software best practices when coding bioinformatics software, especially if it is used for commercial or sensitive purposes. Also, it is important to consider threats from all sources, including the DNA strands being sequenced, as a vector for computer attacks.”
The University of Washington researchers from the Paul Allen School of Computer Science & Engineering detail their work in a new paper that can be found here.