A real-world attack like this could have dire consequences for computing equipment at organizations in "the DNA sequencing pipeline".
In a paper that will be presented at a security symposium in Vancouver, Canada, on August 17, researchers explained how they stored malware in synthetic DNA, then gained control of the computer by targeting security loopholes in the DNA analysis software. "But we found it is possible".
Researchers at the University of Washington in Seattle call the hack the first DNA-based exploit of a computer system. Essentially, they rigged the attack for a successful compromise. A malware program was then translated into a simple computer command of 176 DNA letters, denoted by A, C, and G and embedded into the DNA sample. The researchers started by writing a well-known exploit called a "buffer overflow", created to fill the space in a computer's memory meant for a certain piece of data and then spill out into another part of the memory to plant its own malicious commands.
It is possible. Through trial and error, the researchers managed to include an exploit in synthetic DNA strands that could take control of a computer when it processed the strands.
"We have no evidence to believe that the security of DNA sequencing or DNA data in general is now under attack", researchers wrote. While this phenomena is known to the sequencing community, we provide the first discussion of how this leakage channel could be used adversarially to inject data or reveal sensitive information. In this case, the command was to contact another computer operated by the research team who were able to easily take over the host system that was analysing DNA, it was reported.
The synthetic strands were passed through a sequencing machine, which converted the gene letters into digits - 0s and 1s. "After sequencing, this DNA data is processed and analysed using many computer programs".
The researchers warn that hackers could one day use faked blood or spit samples to gain access to university computers, steal information from police forensics labs, or infect genome files shared by scientists. A key caveat to their specific attack is that they disabled ASLR, an exploit mitigation technology used in all major operating systems. "Even if you were successfully able to get it into the sequencer for sequencing, it might not be in any usable shape (it might be too fragmented to be read usefully, for example)". And, perhaps more to the point for the cybersecurity community, it also represents an impressive, sci-fi feat of sheer hacker ingenuity. "We have no evidence to believe that the security of DNA sequencing or DNA data in general is now under attack".
"It remains to be seen how useful this would be, but we wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing", said co-author and Allen School doctoral student Peter Ney. "I doubt it." But he adds that, with an age of DNA-based data possibly on the horizon, the ability to plant malicious code in DNA is more than a hacker parlor trick. While there are regulations to prevent synthesizing biological viruses such as chicken pox, the researchers warn it may be more hard to detect executable code in DNA.
"That means when you're looking at the security of computational biology systems, you're not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they're sequencing", Tadayoshi Kohno, the University of Washington computer science professor who led the project said. "It's about considering a different class of threat".