UW researchers have demonstrated for the first time that it is possible to remotely compromise a computer using information stored in DNA. This test tube holds hundreds of billions of copies of the exploit code stored in synthetic DNA molecules, which has the potential to compromise a computer system when it is sequenced and processed. Dennis Wise/University of Washington
Rapid improvement in DNA sequencing has sparked a proliferation of medical and genetic tests that promise to reveal everything from one’s ancestry to fitness levels to microorganisms that live in your gut.
A new study from University of Washington researchers that analyzed the security hygiene of common, open-source DNA processing programs finds evidence of poor computer security practices used throughout the field .
In the study, which will be presented Aug. 17 in Vancouver, B.C., at the 26th USENIX Security Symposium, the team also demonstrated for the first time that it is possible — though still challenging — to compromise a computer system with a malicious computer code stored in synthetic DNA. When that DNA is analyzed, the code can become executable malware that attacks the computer system running the software.
So far, the researchers stress, there’s no evidence of malicious attacks on DNA synthesizing, sequencing and processing services. But their analysis of software used throughout that pipeline found known security gaps that could allow unauthorized parties to gain control of computer systems — potentially giving them access to personal information or even the ability to manipulate DNA results.
“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said co-author Tadayoshi Kohno, professor at the UW’s Paul G. Allen School of Computer Science & Engineering.
“Instead, we’d rather say, ‘Hey, if you continue on your current trajectory, adversaries might show up in 10 years. So let’s start a conversation now about how to improve your security before it becomes an issue,’” said Kohno, whose previous research has provoked high-profile discussions about vulnerabilities in emerging technologies, such as internet-connected automobiles and implantable medical devices.
Lee Organick (left), Karl Koscher (center) and Peter Ney (right) from the UW’s Molecular Information Systems Lab and the Security and Privacy Research Lab prepare the DNA exploit for sequencing.Dennis Wise/University of Washington
“We don’t want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information,” said co-author and Allen School associate professor Luis Ceze. “We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before.”
In the new paper, researchers from the UW Security and Privacy Research Lab and UW Molecular Information Systems Lab offer recommendations to strengthen computer security and privacy protections in DNA synthesis, sequencing and processing.
The research team identified several different ways that a nefarious person could compromise a DNA sequencing and processing stream. To start, they demonstrated a technique that is scientifically fascinating — though arguably not the first thing an adversary might attempt, the researchers say.
“It remains to be seen how useful this would be, but we wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing,” said co-author and Allen School doctoral student Peter Ney.
DNA is, at its heart, a system that encodes information in sequences of nucleotides. Through trial and error, the team found a way to include executable code — similar to computer worms that occasionally wreak havoc on the internet — in synthetic DNA strands.
This output from a sequencing machine includes the UW team’s exploit, which is being sequenced with a number of unrelated strands. Each dot represents one strand of DNA in a given sample.Dennis Wise/University of Washington
To create optimal conditions for an adversary, they introduced a known security vulnerability into a software program that’s used to analyze and search for patterns in the raw files that emerge from DNA sequencing.
When that particular DNA strand is processed, the malicious exploit can gain control of the computer that’s running the program — potentially allowing the adversary to look at personal information, alter test results or even peer into a company’s intellectual property.
“To be clear, there are lots of challenges involved,” said co-author Lee Organick, a research scientist in the Molecular Information Systems Lab. “Even if someone wanted to do this maliciously, it might not work. But we found it is possible.”
In what might prove to be a more target-rich area for an adversary to exploit, the research team also discovered known security gaps in many open-source software programs used to analyze DNA sequencing data.
This data file tells researchers what sequence their DNA had as well as the quality of the read (with E higher quality than A). The team demonstrated that it is possible to place malicious code in a strand of DNA that, when sequenced, could attack the software used for analysis.Dennis Wise/University of Washington
Some were written in unsafe languages known to be vulnerable to attacks, in part because they were first crafted by small research groups who likely weren’t expecting much, if any, adversarial pressure. But as the cost of DNA sequencing has plummeted over the last decade, open-source programs have been adopted more widely in medical- and consumer-focused applications.
Researchers at the UW Molecular Information Systems Lab are working to create next-generation archival storage systems by encoding digital data in strands of synthetic DNA. Although their system relies on DNA sequencing, it does not suffer from the security vulnerabilities identified in the present research, in part because the MISL team has anticipated those issues and because their system doesn’t rely on typical bioinformatics tools.
Recommendations to address vulnerabilities elsewhere in the DNA sequencing pipeline include: following best practices for secure software, incorporating adversarial thinking when setting up processes, monitoring who has control of the physical DNA samples, verifying sources of DNA samples before they are processed and developing ways to detect malicious executable code in DNA.
“There is some really low-hanging fruit out there that people could address just by running standard software analysis tools that will point out security problems and recommend fixes,” said co-author Karl Koscher, a research scientist in the UW Security and Privacy Lab. “There are certain functions that are known to be risky to use, and there are ways to rewrite your programs to avoid using them. That would be a good initial step.”
Learn more: DNA sequencing tools lack robust protections against cybersecurity risks
The Latest on: DNA cybersecurity
- Cyber Monday 2019: Best deals for health and fitnesson November 30, 2019 at 9:26 pm
From big savings on all Theragun models to 50% off DNA services, the holiday discount season isn't just about computers and tech. Black Friday has passed and Cyber Monday is upon us. But the sales ...
- All 23andMe & Ancestry DNA Kit Cyber Monday 2019 Deals: List of DNA Testing Kit Deals Released by Save Bubbleon November 30, 2019 at 4:05 pm
Our round-up of the best DNA kit deals for Cyber Monday 2019, featuring Ancestry, 23andMe and more DNA kits deals In search of the best Cyber Monday DNA test kits deals for 2019? Online sales ...
- Ancestry DNA kits make great gifts — and they're up to half offon November 30, 2019 at 11:05 am
Ancestry's DNA test kits make the perfect present for just about anyone on your list ... Visit Ancestry's website to take advantage of its already-live Cyber Monday deals and make this year's gift ...
- DNA Kit Black Friday & Cyber Monday 2019 Deals: Ancestry & 23andMe DNA Kit Deals Listed by Consumer Walkon November 30, 2019 at 10:04 am
Compare the latest DNA kit Black Friday & Cyber Monday 2019 deals and enjoy instant savings on Ancestry, 23andMe and more DNA kits BOSTON, Nov. 29, 2019 /PRNewswire/ -- Here's a comparison of the best ...
- DNA Deal: 23andMe kit with lab fee included on sale for $79on November 29, 2019 at 10:26 pm
However, if you know what you're getting into and are dying to know which haplogroup your DNA belongs to, this 23andMe kit will do the trick. If you liked this deal, remember to bookmark our Cyber ...
- Top DNA Kit Black Friday & Cyber Monday Deals for 2019: AncestryDNA & 23andMe DNA Kit Deals Reviewed by Retail Fuseon November 29, 2019 at 4:21 pm
DNA kit Black Friday & Cyber Monday 2019 deals are live now, here’s all the best AncestryDNA and 23andMe DNA kits Black Friday & Cyber Monday savings Here’s the best DNA kit deals for Black Friday & ...
- Several popular DNA kits are up to 50% off on Black Friday, including 23andMe and AncestryDNAon November 29, 2019 at 2:21 pm
Updated 11/29/19 at 4:40 pm ET: DNA kits are on sale during Black Friday. Here are the best deals on 23andMe, AncestryDNA, and more.
- Get up to $100 off the best DNA kits this Black Fridayon November 29, 2019 at 11:08 am
players in the DNA kit space, are offering massive markdowns on every single one of their DNA kit offerings. We've covered both services in depth before, so be sure to check out our ultimate guide to ...
- MyHeritage DNA is at its lowest price of the yearon November 28, 2019 at 7:07 am
You can now pick up a MyHeritage DNA test kit for just £39 as part of the service's Black Friday Sale. SEE ALSO: Black Friday and Cyber Monday 2019: When is it and what are the best deals in the UK?
- Traficom’s Cybersecurity label helps consumers identify devices that are sufficiently secureon November 27, 2019 at 6:06 pm
... easier by helping consumers identify devices that are sufficiently secure,” says Director Jarkko Saarimäki from the National Cyber Security Centre Finland (NCSC-FI) at Traficom. Pilot projects ...
via Google News and Bing News