Published: Fri, August 11, 2017
Hi-Tech | By Grace Becker

Scientists code malware into DNA that takes over computers that scan it

Scientists code malware into DNA that takes over computers that scan it

Researchers at the University of Washington took control of a machine using a malicious strand of DNA in what is being considered the first "DNA-based exploit of a computer system".

In their experiments, the researchers stored malware in synthetic DNA and demonstrated how that code can compromise a computer analyzing the DNA after it has been run through a gene-sequencing machine.

Despite that tortuous, unreliable process, the researchers admit, they also had to take some serious shortcuts in their proof-of-concept that verge on cheating.

"That means when you're looking at the security of computational biology systems, you're not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they're sequencing", Tadayoshi Kohno, the University of Washington computer science professor who led the project said.

"Instead, we'd rather say, 'Hey, if you continue on your current trajectory, adversaries might show up in 10 years".

"We don't want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information", said the study's co-author Luis Ceze in a statement. "We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven't really had to contemplate before".

However, researchers point out hackers still have a long way to go before they'd be able to create the code to be turned into DNA strands - which wasn't easy at all. The researchers started by writing a well-known exploit called a "buffer overflow", created to fill the space in a computer's memory meant for a certain piece of data and then spill out into another part of the memory to plant its own malicious commands.

Walcott: Kolasinac Is An Animal
He's going to show something different and he's going to get fitter, stronger and quicker. Either way, he is sure to bring some entertainment to the Emirates for the coming season.

Nonetheless, they did prove a DNA strand could be used to hack hardware.

DNA is developed of foundational units called nucleotides. While any data that is input in a computer could contain malicious code, this is probably the first time that malware has been encoded in DNA strands.

Co-author Dr Lee Organick added: 'To be clear, there are lots of challenges involved.

Mad scientists have successfully infected a computer with a malicious program coded in a DNA strand.

'It remains to be seen how useful this would be, but we wondered whether under semi-realistic circumstances it would be possible to use biological molecules to infect a computer through normal DNA processing, ' said co-author Peter Ney. The developers argue that an attacker could use it to hack any computer in the DNA sequencing pipeline. An attacker could mess with a police investigation by tainting blood, hair, and saliva samples with injected malicious DNA they know will be sequenced on a computer. While there are regulations to prevent synthesizing biological viruses such as chicken pox, the researchers warn it may be more hard to detect executable code in DNA. Although their system relies on DNA sequencing, it does not suffer from the security vulnerabilities identified in the present research, in part because the MISL team has anticipated those issues and because their system doesn't rely on typical bioinformatics tools.

The team also noted that they intentionally programmed a vulnerability into the computer that was tasked with reading the DNA, which is what allowed the malware to take control in the first place.

But as sequencing becomes cheaper, simper and more popular, these attacks could pose a growing problem in the future, if unaddressed. At some point, it is conceivable hackers could harness those tools to exploit vulnerabilities. "That would be a good initial step".

Like this: