SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Malware in your DNA sequence data? Technically, it’s possible
Fri, 11th Aug 2017
FYI, this story is more than a year old

Could hackers exploit your DNA sequence and encode it with malware? A new study from the University of Washington says yes, it's possible – and may be a look into the future of science security.

A new research paper, called Computer Security, Privacy and DNA Sequencing, looks at how malware creators could potentially take DNA sequencing information, lace it with malware and then infect scientific computers.

Modern DNA sequencing techniques are able to run hundreds of millions of DNA strands at any one time, and the computing power behind those techniques must process, analyse and store those strand sequences.

The research paper, written by Peter Ney, Karl Koscher, Lee Organick, Luis Ceze and Tadayoshi Kohno, says that while it hasn't yet been a target for adversaries, there is a real change it could happen in future.

Many open source DNA processing programs were written in languages known to have security problems such as C and C++, and the researchers say that security sequencing is not up to scratch when it comes to defending against cyber attackers.

“We stress that our target modified program has a known, and in some sense trivial, vulnerability. We also stress that its environment is in many ways the “best possible” environment for an adversary,” the researchers say in their report.

It is entirely possible to create synthetic DNA strands with malicious computer code. That code could then remotely give full control of the computer to attackers.

Researchers say that some DNA sequencing programs have been developed by specific research communities so it would be difficult for attackers to take advantage of these programs, but theoretically it is possible.

“Although used broadly by biology researchers, many of these programs are written by small research groups and thus have likely not been subjected to serious adversarial pressure. We therefore hypothesize that the rate of serious vulnerabilities will be higher here than in more mature software (e.g., Internet services).

Researchers also say that as DNA sequencing becomes cheaper, it also brings more opportunities for attackers. Wet labs as a service, in which non-experts can use lab techniques, could also increase the possibility of attack. Finally storing DNA sequence data in cloud services also poses risks.

However, the researchers say that there's no reason for concern – yet.

“We again stress that there is no cause for people to be alarmed today, but we also encourage the DNA sequencing community to proactively address computer security risks before any adversaries manifest. That said, it is time to improve the state of DNA security,” a statement concludes.