When DNA was synthesized, nobody had thought that it could be used to spread computer viruses, but a group of researchers from the University of Washington’s school of computer science and engineering have come up with a surprising new research. According to the research team, it is indeed possible to insert malicious malware into the physical DNA strands. The data resulting from the malware corrupts gene-sequencing process and gains full control of the underlying computer.
Tadayoshi Kohno (1) and Paul G Allen (2) led the research that is being termed as the first ever “DNA-based exploit of a computer system.” The scientists created the malware to be incorporated into the genetic molecule.
Kohno, Allen and Luis Ceze along with others performed the hack by encoding malicious program in a tiny DNA stretch, which they bought online for $89, and used it to control a computer that was processing genetic data fully. They developed the malware by translating a simple computer command into a tiny stretch of about 176 DNA letters. These letters were denoted as A, G, C and T. These strands were processed through a gene sequencing machine that reads gene letters and stores them as binary digits 0 and 1.
“It is well known in computer security that any data used as input into a program may contain code designed to compromise a computer. This led us to question whether it is possible to produce DNA strands containing malicious computer code that, if sequenced and analyzed, could compromise a computer,” explained Allen.
Researchers have concluded that hackers might one day use fake blood or spit sample to access university computer system and obtain sensitive data from police forensics labs. They may also infect genome files. The team will be showcasing their findings at the Usenix Security Symposium due to be held in Vancouver.
Kohno has a reputation of coming up with novel ideas of hacking probabilities. He was among the first group of scientists who proved that automobiles could be hacked through a diagnostic port and accessed remotely through Bluetooth connections.
According to Yaniv Elrich, a geneticist and programmer, the exploits used by the research team are “basically unrealistic.” Elrich opines that this hack trick relies upon the spill-over effect where data exceeding storage buffer is interpreted as computer command. In this research, the command initiated contact with a server that was being controlled by Kohno’s team of scientists. They took control of a computer present in their lab, which they were already using to analyze DNA file.
But University of Washington researchers are of the opinion that this might just be possible because DNA sequencing is becoming more and more powerful and commonplace. The sequencing is performed by third-party services on sensitive computers, and if an adversary gets control of the data processed by the computer, it will be incredibly easy to hack the computer.
Kohno states that the threat is entirely practical despite being unconventional “When you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”
Allen explained that it was indeed theoretically possible to produce synthetic DNA that can compromise a computer system but at the moment these attacks are difficult to carry out. Reason being that “it is challenging to synthesize malicious DNA strands and to find relevant vulnerabilities in DNA processing programs thus, while scientifically interesting, we stress that people today should not necessarily be alarmed.”
Sanger Institute UK’s bioinformatics expert James Bonfield confirms that the threat is real. Bonfield stated that in some cases scientific programs that are used to interpret or organize DNA data are not maintained actively, which can be a cause of risk. Bonfield further explained that “fqzcomp,” which he claims the University of Washington research team targeted, was created as an experiment to be presented at a file compression competition.
With this new research, the companies responsible for manufacturing synthetic DNA strands for scientists must become warned about the existence of bioterrorists. In the future, they might need to check DNA sequences as well to identify computer threats. Researchers also warned about the use of more conventional means and methods for attacking genetic data because it is appearing online so casually and can be accessed via app stores.