University of Washington researchers have successfully encoded malware into DNA strands, using it to exploit a computer that analyzed the genetic material in a groundbreaking world first. The breakthrough throws up a number of troubling possibilities - one being malware encoded into genetic material potentially becoming a threat vector.
The team, led by Professor Tadayoshi Kohno (who has a history of investigating unusual attack vectors), were inspired out of concern that security infrastructure around DNA transcription and analysis was inadequate, having found elementary vulnerabilities in open-source software used in labs around the world.
Given the nature of the data typically handled, this could be a major issue in future as the molecular and electronic worlds grow ever-closer, potential interactions between the two loom on the horizon, which no one has hitherto contemplated.
While it would've been possible to demonstrate the weakness of the systems using typical malware and remote access tools, as a competent cyberattacker would, the team decided to push their idea as far as possible, to defend against every eventuality.
Accordingly, they made a quantum leap, devising a test straight out of the pages of science fiction films and novels, based on the notion DNA is essentially life's file system — a concept already being explored via tools such as CRISPR, which reads DNA strands and turns them into binary data.
They started by writing a well-known exploit — a "buffer overflow" — designed to fill space in a computer's memory intended for certain data, then spill out into another part of the memory banks to plant malicious commands.
Encoding the attack in actual DNA proved harder than first anticipated DNA sequencers work by mixing DNA with chemicals that bind differently to DNA's basic units of code (the chemical bases A, T, G, and C), and each emit a different color of light, captured in a photo of DNA molecules.
To speed up the processing, the images are divided into thousands of chunks, and analyzed in parallel — all data comprising their attack had to fit into just a few hundred such bases, to increase the likelihood it would remain intact throughout the sequencer's parallel processing.
When the researchers sent their carefully crafted attack to DNA synthesis service Integrated DNA Technologies, they found DNA had other restrictions too. For their sample to remain stable, they needed to maintain a certain ratio of Gs and Cs to As and Ts. The natural stability of DNA depends on a regular proportion of A-T and G-C pairs, and while a buffer overflow often involves using the same strings of data repeatedly, doing so in this case caused the DNA strand to fold in on itself, necessitating the repeated rewriting of their exploit code to find a form that could survive as DNA, which the synthesis service would ultimately send them in the mail.
Their findings indicate it's possible to encode malicious software into physical strands of DNA, so when a gene sequencer analyzes it, the resulting data becomes a program that corrupts gene-sequencing software, and takes control of any underlying computer.
As a result, in future, when considering the security of computational biology systems, on top of traditional concerns such as network connectivity and internal drives drive, information stored in the DNA computers are sequencing needs to be key security priority.
A doctored biological sample could even be used as a vector for malicious DNA to be processed downstream after sequencing, and executed. Mitigating this prospect however, is getting malicious DNA strands from a doctored sample into a sequencer, which presents many technical challenges. Even if an attacker was successfully able to get it into a sequencer, it may not be in readable form.
Nonetheless, University of Washington researchers believe the mere prospect needs to be indulged if future DNA analysis software is to be requisitely equipped to guard against biotech hazards. Any input would have the potential to compromise such applications, after all.
If hackers did pull off the trick, they could gain access to valuable intellectual property, or possibly taint genetic analysis such as in criminal DNA testing. Companies could even place malicious code in the DNA of genetically modified products, as a means of protecting trade secrets.