Ethical hackers create bizarre new way of using DNA as weapon to infect computers
Cyber-security terms like 'viruses' and 'worms' which have their origins in the natural world are intended to be analogies rather than literal descriptions, but increasingly it seems the boundaries between molecular biology and computing are blurring
Creatively minded cyber-security researchers have highlighted troubling synergies between the worlds of biology and computing by inventing a scarily fascinating means of using DNA to infect computers.
Members of the team in the USA say they stored malicious computer code in a strand of synthetic DNA which, when sequenced, caused computers used in the sequencing process to become compromised.
This could potentially give any malicious hackers, who were sophisticated enough to attempt such a feat, access to personal information or even the ability to manipulate DNA results.
The trio of academics behind the project swiftly pointed out that such a modus operandi was considered so convoluted, and the results were so hit and miss, that it would be far from the obvious choice for cybercriminals at present – particularly given that there are often plenty of easier ways in which to create mayhem.
However, they warned that companies involved in DNA sequencing should take steps to improve their computer networks’ security hygiene to mitigate the threat that, at some point in the not too distant future, carefully crafted synthetic DNA could be deployed to make computers go haywire.
One of the researchers involved, Peter Ney, a doctoral student who co-authored a groundbreaking study on the technique set to be made public later this month, said of the origins of the research: “It remains to be seen how useful this would be, but we wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing.”
Another member of the team, Professor Tadayoshi Kohno, said: “One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared.’
“Instead, we’d rather say, ‘Hey, if you continue on your current trajectory, adversaries might show up in 10 years. So let’s start a conversation now about how to improve your security before it becomes an issue.’”
Professor Luis Ceze, another member of the team that made the discovery, said: “We don’t want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information.
“We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before.”
DNA encodes information in sequences of nucleotides. Through trial and error, the team found a way of inserting executable code, similar to computer worms that occasionally wreak havoc on the internet, into synthetic DNA strands.
Deoxyribonucleic acid, to give it its full name, contains the biological equivalent of computer code. It is nature’s information storage system.
Individual genes encode information that is processed in factory-type systems in cells to create proteins, while large stretches of DNA in the human genome control gene expression and other biological processes that are still not well understood.
Because the data contained within DNA is so rich, increasingly inexpensive genetic tests could soon be able to reveal extremely precise information about people’s ancestry and their vulnerability to particular health problems.
After DNA is sequenced, it is usually processed and analysed by a number of computer programmes through what is called the DNA data processing pipeline.
But the computer-security practices of the commonly used, open-source programmes in this process often fail to follow computer security best practice – something that prompted the researchers to intentionally include a known security vulnerability in the set-up they used as part of their hacking exercise.
They then cleverly designed and created a synthetic DNA strand that contained malicious computer code encoded in the nitrogen bases – adenine, cytosine, guanine and thymine.
Related but somewhat cruder forms of DNA analysis are used for the benefit of police investigators seeking to identify suspects from traces left at crime scenes.
Mike Silverman, one of the UK’s leading forensic scientists who formerly served as the government-approved regulator for the sector, told E&T he was not overly worried about cyber security implications of the new malicious DNA code threat for the police.
He said: “How you would insert anything like malicious code into what is effectively just a sequence of four letters [A, C, G and T] or just a sequence of numbers is hard to see. I don’t know a lot about computer coding but I’d imagine the code would be quite complex and so it would stand out like a dog’s balls.”