Cybersecurity researchers say they’ve managed to insert malware into synthetic DNA data which could theoretically be used to disrupt police forensic work or steal valuable IP.
Peter Ney, Karl Koscher, Lee Organick, Luis Ceze, and Tadayoshi Kohno at the University of Washington presented their findings at the 2017 Usenix Security Symposium this week.
After DNA is sequenced, it’s sent down a “processing pipeline” to be analyzed. However, the researchers found that the bioinformatics tools designed to do this – often open source – are written in coding languages like C and C containing numerous security vulnerabilities.
They explained as follows:
“Most had little input sanitization and used insecure functions. Others had static buffers that could overflow. The lack of input sanitization, the use of insecure functions, and the use of overflowable buffers can make a program vulnerable to attackers; modern computer security best practices are to avoid or cautiously use these programmatic constructs whenever possible.”
To prove their theory, the researchers deliberately inserted a vulnerability into a DNA processing program, and then designed and created a synthetic DNA strand containing malicious code encoded in the bases of that strand.
When the physical strand was sequenced by the flawed program, the code remotely executed and gave the researchers full control over the computer doing the processing.
From there, attackers could pivot to steal sensitive IP from DNA processing or other systems, or even use such attacks to disrupt police forensics on key cases.
At the moment, such threats remain theoretical, but the team urged developers of bioinformatics software to follow security best practices when coding and consider DNA strands as a potential threat vector.
Such best practices should include the use of memory safe languages or bounds checking at buffers, input sanitization and regular security audits. Stakeholders should also get serious about regular patching of such systems, the researchers argued.
They added:
“However, since DNA sequencing technologies are maturing and becoming more ubiquitous, we do believe that these types of issues could pose a growing problem into the future, if unaddressed. We therefore believe that now is the right time to begin hardening the computational biology ecosystem to cyber-attacks.”