DNA synthesis is conducted cautiously by biologists. Scientists do not want to create a dangerous strand of genetic code. Computers are used to process the billions of DNA bases that can be sequenced from a single strand of DNA. The two things have always been separate. Until now.
A team of computer scientists from Washington University has shown, for the first time, that it is possible to encode malware into physical strands of DNA. When the DNA is analysed the code can become executable and attack and take-over the computer.
The attack was not nefarious (this time), but it is now a possibility that cyber criminals could seize control of a computer running the DNA sequencing programme. Such a breach would be catastrophic, allowing hackers to access personal information, alter test results, or view a company’s intellectual property. In the wrong hands, there is even potential to contaminate the criminal DNA database.
How Is This Possible?
The corrupt DNA is placed into a gene sequencer. When the gene sequencer analyses it, the resulting data becomes a programme that corrupts the software and takes control of the computer. This attack is known as a ‘buffer flow.’ The research, fortunately, was harder than anticipated and there were many failed attempts. All of the data that comprised their attack had to fit into a mere few hundred of the billions of DNA bases.
When the research team ‘sent’ their attack there were other barriers. DNA has certain physical restrictions and for the sample to remain stable the ratio’s must be just right. A buffer overflow uses the same strings of data repeatedly. This type of repeated attack can cause the DNA to become unstable and fold in on itself. The research team had to write an exploit code that would actually survive as DNA.
Eventually, a piece of attack software survived the translation from physical to digital DNA format, known as FASTQ, that’s used to store the DNA sequence. FASTQ files are usually compressed, otherwise, they stretch to gigabytes of text. When the FASTQ file is compressed the compression software is hacked with the buffer overflow exploit. It breaks free from the compression programme and infiltrates the computer’s memory and can run its own autocratic commands.
DNA sequencing is advancing. As the molecular and electronic worlds converge, this is a different class of threat. As DNA sequencing continues to progress it is likely to be conducted by third-parties on sensitive computer systems.
Traditional hacking attempts stem from the internet or email, but Tadayoshi Kohno Ph.D., a professor at the UW’s Paul G. Allen School of Computer Science & Engineering, who led the project confirmed, “if an adversary has control over the data a computer is processing, it can potentially take over that computer.” It sounds like something from a science fiction film, but bio-exploitation may become a reality.
Kohno went on to say, “That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard, but also the information stored in the DNA they’re sequencing.” There are clear warning signs for the computer security community. Kohno suggests, “let’s start a conversation now about how to improve your security before it becomes an issue.”
This DNA-malware delivery may be limited to professors in laboratories – for now. However, it is highly plausible that corporations, government-led facilities, and medical institutions will follow their lead, keen to test, understand and advance. Any mistake could be costly. DNA contains valuable, sensitive data. It may only be a matter of time before cyber hackers attempt to exploit it. The Washington team have proven it possible.
If you would like to understand how the latest developments in cyber attacks could affect you, please get in touch with one of our experienced team.Back to Blog