Rapid improvement in DNA sequencing has sparked a proliferation of medical and genetic tests that promise to reveal everything from one鈥檚 ancestry to fitness levels to microorganisms that live in your gut.
A new study from 91探花 researchers that聽聽finds evidence of poor computer security practices used throughout the field聽 聽 .
In the , which will be presented Aug. 17 in Vancouver, B.C., at the , the team also demonstrated for the first time that it is possible 鈥 though still challenging 鈥 to compromise a computer system with a malicious computer code stored in synthetic DNA. When that DNA is analyzed, the code can become executable malware that attacks the computer system running the software.
So far, the researchers stress, there鈥檚 no evidence of malicious attacks on DNA synthesizing, sequencing and processing services. But their analysis of software used throughout that pipeline found known security gaps that could allow unauthorized parties to gain control of computer systems 鈥 potentially giving them access to personal information or even the ability to manipulate DNA results.
鈥淥ne of the big things we try to do in the computer security community is to avoid a situation where we say, 鈥極h shoot, adversaries are here and knocking on our door and we鈥檙e not prepared,鈥欌 said co-author , professor at the UW鈥檚 Paul G. Allen School of Computer Science & Engineering.
鈥淚nstead, we鈥檇 rather say, 鈥楬ey, if you continue on your current trajectory, adversaries might show up in 10 years. So let鈥檚 start a conversation now about how to improve your security before it becomes an issue,鈥欌 said Kohno, whose previous research has provoked high-profile discussions about vulnerabilities in emerging technologies, such as and .
鈥淲e don鈥檛 want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information,鈥 said co-author and Allen School associate professor . 聽鈥淲e do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven鈥檛 really had to contemplate before.鈥
In the new paper, researchers from the 91探花 and 91探花 offer recommendations to strengthen computer security and privacy protections in DNA synthesis, sequencing and processing.
The research team identified several different ways that a nefarious person could compromise a DNA sequencing and processing stream. To start, they demonstrated a technique that is scientifically fascinating 鈥 though arguably not the first thing an adversary might attempt, the researchers say.
鈥淚t remains to be seen how useful this would be, but we wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing,鈥 said co-author and Allen School doctoral student .
DNA is, at its heart, a system that encodes information in sequences of nucleotides. Through trial and error, the team found a way to include executable code 鈥 similar to computer worms that occasionally wreak havoc on the internet 鈥 in synthetic DNA strands.
To create optimal conditions for an adversary, they introduced a known security vulnerability into a software program that鈥檚 used to analyze and search for patterns in the raw files that emerge from DNA sequencing.
When that particular DNA strand is processed, the malicious exploit can gain control of the computer that鈥檚 running the program 鈥 potentially allowing the adversary to look at personal information, alter test results or even peer into a company鈥檚 intellectual property.
鈥淭o be clear, there are lots of challenges involved,鈥 said co-author , a research scientist in the Molecular Information Systems Lab. 聽鈥淓ven if someone wanted to do this maliciously, it might not work. But we found it is possible.鈥
In what might prove to be a more target-rich area for an adversary to exploit, the research team also discovered known security gaps in many open-source software programs used to analyze DNA sequencing data.
Some were written in unsafe languages known to be vulnerable to attacks, in part because they were first crafted by small research groups who likely weren鈥檛 expecting much, if any, adversarial pressure. But as the cost of DNA sequencing has plummeted over the last decade, open-source programs have been adopted more widely in medical- and consumer-focused applications.
Researchers at the 91探花Molecular Information Systems Lab are working to create next-generation archival storage systems by . Although their system relies on DNA sequencing, it does not suffer from the security vulnerabilities identified in the present research, in part because the MISL team has anticipated those issues and because their system doesn鈥檛 rely on typical bioinformatics tools.
Recommendations to address vulnerabilities elsewhere in the DNA sequencing pipeline聽include: following best practices for secure software, incorporating adversarial thinking when setting up processes, monitoring who has control of the physical DNA samples, verifying sources of DNA samples before they are processed and developing ways to detect malicious executable code in DNA.
鈥淭here is some really low-hanging fruit out there that people could address just by running standard software analysis tools that will point out security problems and recommend fixes,鈥 said co-author , a research scientist in the 91探花Security and Privacy Lab. 鈥淭here are certain functions that are known to be risky to use, and there are ways to rewrite your programs to avoid using them. That would be a good initial step.鈥
The research was funded by the 91探花 , the Short-Dooley Professorship and the Torode Family Professorship.
###
For more information, contact the research team at dnasec@cs.washington.edu.
Images available for download here:
Study available for download here: