Biology may be the next frontier for cybercriminals. University of Washington researchers successfully stored malware in synthetic DNA strands, and used it to infect the computer analyzing the DNA, according to a paper published at the 2017 USENIX Security Symposium.
When DNA is sequenced, for medical or criminal purposes, it is usually processed and analyzed by a number of computer programs. The researchers found that many of these programs contained serious security flaws, and were written in programming languages known to contain security problems and vulnerable code, such as C and C++. They modified one of the processing programs to include a vulnerability for the purposes of the experiment.
The researchers created a synthetic DNA strand that contained malicious computer code encoded in the bases of the DNA. When this strand was sequenced and processed by the vulnerable program, it gave the researchers remote control of the computer doing the processing. “That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA,” the researchers wrote.
This means hackers could potentially mix synthetic DNA strands encoded with malware into a solution, and send it to a lab for sequencing to gain control of computers. Once in the system, the hackers could launch other attacks.
Despite this, the researchers said there is no cause for concern–yet. While it’s clear that these types of attacks are possible, they remain difficult in practice, as it is challenging to synthesize malicious DNA strands, and to find relevant vulnerabilities in DNA processing programs.
“We have no reason to believe that there have been any attacks against DNA sequencing or analysis programs,” the researchers wrote. “However, since DNA sequencing technologies are maturing and becoming more ubiquitous, we do believe that these types of issues could pose a growing problem into the future, if unaddressed.”
Cybersecurity researchers should begin focusing on improving security in the computational biology ecosystem sooner rather than later, the researchers added.
Humans themselves are not at risk when it comes to DNA-based exploits such as this, the researchers noted. “Our exploit shows that specifically designed DNA can be used to affect computer programs, not living organisms themselves,” they wrote. “Said another way, our exploit is designed to compromise a computer program involved in the DNA sequencing pipeline (and a program intentionally modified to include a vulnerability). The DNA sequence we designed for this paper does not have any biological significance.”
The concept of DNA storage dates back to the 1960s. University of Washington researchers partnered with Microsoft last year to set a new record for the amount of data stored in the molecules, at 200 megabytes. However, this is the first time that malware has been stored in DNA and used to infect a computer system.
This research should also serve as a lesson to businesses on the importance of securing key operating systems. The researchers encourage the wide adoption of security best practices such as the use of memory safe languages, and regular patching and security audits.
The 3 big takeaways for TechRepublic readers
1. Researchers from the University of Washington stored malware in synthetic DNA strands, and used it to infect the computer analyzing the DNA, according to a paper published at the 2017 USENIX Security Symposium.
2. Despite this work, the researchers said that this does not currently pose a threat, as creating synthetic DNA is very challenging.
3. The research demonstrates the importance of strong security measures for both computational biological ecosystems and businesses as a whole.