Infectious Diseases

Researchers hack computer using malware encoded in synthetic DNA

Researchers hack computer using malware encoded in synthetic DNA
UW researchers have demonstrated for the first time that it is possible to remotely compromise a computer using information stored in DNA
UW researchers have demonstrated for the first time that it is possible to remotely compromise a computer using information stored in DNA
View 4 Images
This test tube holds hundreds of billions of copies of the exploit code stored in synthetic DNA molecules, which has the potential to compromise a computer system when it is sequenced and processed
1/4
This test tube holds hundreds of billions of copies of the exploit code stored in synthetic DNA molecules, which has the potential to compromise a computer system when it is sequenced and processed
Lee Organick (left), Karl Koscher (center) and Peter Ney (right) from the UW’s Molecular Information Systems Lab and the Security and Privacy Research Lab prepare the DNA exploit for sequencing
2/4
Lee Organick (left), Karl Koscher (center) and Peter Ney (right) from the UW’s Molecular Information Systems Lab and the Security and Privacy Research Lab prepare the DNA exploit for sequencing
UW researchers have demonstrated for the first time that it is possible to remotely compromise a computer using information stored in DNA
3/4
UW researchers have demonstrated for the first time that it is possible to remotely compromise a computer using information stored in DNA
This output from a sequencing machine includes the UW team’s exploit, which is being sequenced with a number of unrelated strands. Each dot represents one strand of DNA in a given sample
4/4
This output from a sequencing machine includes the UW team’s exploit, which is being sequenced with a number of unrelated strands. Each dot represents one strand of DNA in a given sample
View gallery - 4 images

In what they're calling the first evidence of a DNA-based exploit of a computer system, a team of scientists have successfully shown that a computer can be hacked through malicious code incorporated into synthetic DNA. While the exploit is still essentially hypothetical, with no evidence there are such threats currently in the wild, it does expose a major security flaw that could pose a significant problem in the future.

The research team at the University of Washington demonstrated how executable code can be embedded into synthetic DNA strands. When a software program sequences that DNA, executable code encoded within it allows the exploit to gain control of the computer, potentially compromising the security of its data or even altering the test results.

The team points out that the technique is currently just a proof-of-concept experiment requiring intentional modification of a computer program to allow the DNA-based exploit to take hold.

"To be clear, there are lots of challenges involved," says co-author Lee Organick. "Even if someone wanted to do this maliciously, it might not work. But we found it is possible."

This output from a sequencing machine includes the UW team’s exploit, which is being sequenced with a number of unrelated strands. Each dot represents one strand of DNA in a given sample
This output from a sequencing machine includes the UW team’s exploit, which is being sequenced with a number of unrelated strands. Each dot represents one strand of DNA in a given sample

But, as a hypothetical demonstration of how this process could work, it clearly shows how an artificially modified blood or DNA sample could corrupt a computer system. Future nefarious possibilities may include criminal DNA results being tampered with, or even valuable DNA data banks being stolen.

"We don't want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information," says Allen School associate professor Luis Ceze. "We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven't really had to contemplate before."

This test tube holds hundreds of billions of copies of the exploit code stored in synthetic DNA molecules, which has the potential to compromise a computer system when it is sequenced and processed
This test tube holds hundreds of billions of copies of the exploit code stored in synthetic DNA molecules, which has the potential to compromise a computer system when it is sequenced and processed

The team also conducted a thorough examination of the current bioinformatics software tools commonly used by researchers today. They discovered that many open-source programs for analyzing DNA sequencing data that have been widely adopted are often written in C and C++ languages that are known to hold a variety of security vulnerabilities.

The point of the research seems to be to highlight a potential future problem that needs to be quickly addressed. The study notes that there is no known evidence of outside attacks on DNA analysis software at this time, but as these technologies become more ubiquitous our current computational ecosystems need to be secured.

"We'd rather say, 'Hey, if you continue on your current trajectory, adversaries might show up in 10 years," says Tadayoshi Kohno, professor at the UW's Paul G. Allen School of Computer Science & Engineering. "So let's start a conversation now about how to improve your security before it becomes an issue.'"

The team will present the study at the upcoming USENIX Security Symposium in Vancouver.

Source: University of Washington / Paul G. Allen School of Computer Science & Engineering

View gallery - 4 images
3 comments
3 comments
Fairly Reasoner
Proof of not a lot.
Brian M
The only proof of any thing here is that Washington University seriously needs to look at the work of its research teams do!
Why make a comment about the use of C and C++ languages? They are no worse or better than any other language if used correctly - clearly the researches have not done their research!
Douglas Bennett Rogers
The DNA is just a storage medium. Could just as well be a stone tablet. Both require some type of reader to input the data.