Computer scientists are turning DNA into a new frontier for data storage and information processing, but a team from the University of Washington says it could become a frontier for cybercrime as well.
To prove their point, the researchers turned a snippet of malicious computer code into a string of synthetic DNA, and then used it to take control of a computer that was programmed to search for patterns in the raw files that emerge from DNA sequencing.
They also found known security gaps in many of the open-source software programs that are used to analyze DNA sequencing data.
The findings from UW’s Security and Privacy Research Lab and Molecular Information Systems Lab are to be presented on Aug. 17 in Vancouver, B.C., at the 26th USENIX Security Symposium.
The researchers emphasized that there’s no way evildoers could take advantage of molecular malware today, because DNA data processing is still only in the experimental stage. But they said the cybersecurity angle shouldn’t be ignored as DNA-based computing progresses.
“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,'” study co-author Tadayoshi Kohno, a professor at the UW’s Paul G. Allen School of Computer Science and Engineering, said in a news release.
“Instead, we’d rather say, ‘Hey, if you continue on your current trajectory, adversaries might show up . So let’s start a conversation now about how to improve your security before it becomes an issue,'” said Kohno, who has previously studied security vulnerabilities in connected cars and implantable medical devices.
If the vulnerabilities aren’t addressed, it might become possible one day to hack into a DNA database and steal valuable medical information, or plant false information about a person’s genetic profile, Kohno and his colleagues said.
They said closing the security gaps in the software that’s used for analyzing DNA is mostly a matter of following best practices in the computer industry.
“Our DNA exploit relies on well-known vulnerabilities that the software industry has been addressing over the years,” co-author Karl Koscher, a research scientist in the Security and Privacy Lab, told GeekWire in an email. “However, it appears that a lot of the DNA analysis tools weren’t written by professional software developers, or with security in mind.”
The fixes are relatively straightforward, but programmers will have to be as careful about DNA code as they are about the more usual kind of computer code.
“In a nutshell, we believe that software used to analyze DNA sequencing data should be subject to the same level of security vulnerability scrutiny as other software packages,” study co-author Luis Ceze, an Allen School associate professor, said in an email to GeekWire.
There are at least two bits of good news among the warnings. One is that the kind of malicious DNA coding devised by the UW team wouldn’t affect how living organisms work. At worst, it would only affect the data produced by analyzing the DNA from those organisms.
The other good news is that creating the molecular malware was harder than the researchers expected.
“Delivering an exploit via DNA does introduce a lot of new constraints,” Koscher said. “For example, encoding raw x86 instructions as DNA produces a sequence that is structurally unstable at the chemical level in various ways.”
In other words, it’s not nice to fool Mother Nature – even at the molecular level.
In addition to Koscher, Ceze and Kohno, the authors of the USENIX study, titled “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More,” include Peter Ney and Lee Organick.
Hear from Microsoft CEO Satya Nadella, Starbucks CEO Kevin Johnson, Instacart CEO Apoorva Mehta, Amazon Alexa & Echo VP Toni Reid, Washington State Attorney General Bob Ferguson and many other leading innovators at the 6th annual GeekWire Summit, taking place Oct. 9-11 in Seattle. Don’t snooze, early-bird tickets on sale here.