In what they're calling the first evidence of a DNA-based exploit of a computer system, a team of scientists have successfully shown that a computer can be hacked through malicious code incorporated into synthetic DNA. While the exploit is still essentially hypothetical, with no evidence there are such threats currently in the wild, it does expose a major security flaw that could pose a significant problem in the future.
The research team at the University of Washington demonstrated how executable code can be embedded into synthetic DNA strands. When a software program sequences that DNA, executable code encoded within it allows the exploit to gain control of the computer, potentially compromising the security of its data or even altering the test results.
The team points out that the technique is currently just a proof-of-concept experiment requiring intentional modification of a computer program to allow the DNA-based exploit to take hold.
"To be clear, there are lots of challenges involved," says co-author Lee Organick. "Even if someone wanted to do this maliciously, it might not work. But we found it is possible."
But, as a hypothetical demonstration of how this process could work, it clearly shows how an artificially modified blood or DNA sample could corrupt a computer system. Future nefarious possibilities may include criminal DNA results being tampered with, or even valuable DNA data banks being stolen.
"We don't want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information," says Allen School associate professor Luis Ceze. "We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven't really had to contemplate before."
The team also conducted a thorough examination of the current bioinformatics software tools commonly used by researchers today. They discovered that many open-source programs for analyzing DNA sequencing data that have been widely adopted are often written in C and C++ languages that are known to hold a variety of security vulnerabilities.
The point of the research seems to be to highlight a potential future problem that needs to be quickly addressed. The study notes that there is no known evidence of outside attacks on DNA analysis software at this time, but as these technologies become more ubiquitous our current computational ecosystems need to be secured.
"We'd rather say, 'Hey, if you continue on your current trajectory, adversaries might show up in 10 years," says Tadayoshi Kohno, professor at the UW's Paul G. Allen School of Computer Science & Engineering. "So let's start a conversation now about how to improve your security before it becomes an issue.'"
The team will present the study at the upcoming USENIX Security Symposium in Vancouver.
Source: University of Washington / Paul G. Allen School of Computer Science & Engineering
Why make a comment about the use of C and C++ languages? They are no worse or better than any other language if used correctly - clearly the researches have not done their research!