WHY THIS MATTERS IN BRIEF
As we increasingly become masters of manipulating the makeup of life criminals will find new, innovative ways, to breach computer systems and cause havoc.
We are increasingly becoming masters of manipulating the building blocks of life, whether it’s creating new “alien” life forms that have six DNA base pairs, not four, creating lifeforms that are resistant to every known virus on Earth, or even “teleporting life,” but now, in what appears to be the first successful hack of its kind a team of researchers in the US have announced they’ve managed to introduce malware into a genetic molecule that allowed them to use DNA to hack the software in the computer used to analyse it.
The biological malware was created by scientists at the University of Washington, who then went on to call it the first “DNA-based exploit of a computer system.”
To carry out the hack the team, who were led by Tadayoshi and Luis Ceze, encoded malicious software in a short stretch of DNA they’d bought online and then used it to gain “full control” over the computer that tried to process the genetic data after it was read by their DNA sequencing machine.
The researchers warn that hackers could one day use faked blood or spit samples to gain access to university computers, steal or change information from police forensics labs, or infect genome files shared by scientists, and the list of course, could go on and on.
For now, DNA malware doesn’t pose much of a security risk, and the researchers admit that to pull off their intrusion, they created the “best possible” chances of success by disabling security features and even adding a vulnerability to a little used bioinformatics program. Their paper appears here.
“Their exploit is basically unrealistic,” says Yaniv Erlich, a geneticist and programmer who is chief scientific officer of MyHeritage.com, a genealogy website.
The new DNA malware will be presented next week at the Usenix Security Symposium in Vancouver.
“We look at emerging technologies and ask if there are upcoming security threats that might manifest, so the idea is to get ahead,” says Peter Ney, a graduate student in Kohno’s Security and Privacy Research Lab.
To make the malware, the team translated a simple computer command into a short stretch of 176 DNA letters, coded as A, G, C, and T after ordering copies of the DNA from a vendor for $109. They then fed the strands into a sequencing machine, which read off the gene letters, storing them as binary digits, 0s and 1s.
Erlich says the attack took advantage of a spill-over effect, when data that exceeds a storage buffer can be interpreted as a computer command. In this case, the command contacted a server controlled by Kohno’s team and then took control of the computer in their lab they were using to analyse the DNA file.
Companies that manufacture synthetic DNA strands and mail them to scientists are already on the alert for bioterrorists, and now they might also have to start checking their DNA for security threats, and as more and more of our DNA data appears online it’s inevitable that criminals will increasingly be able to target it for “nefarious” purposes.
“In some cases, scientific programs used to organize and interpret DNA data aren’t actively maintained, and that could create risks,” said James Bonfield, a bioinformatics expert at the Wellcome Trust Sanger Institute, in the UK.