In what might prove to be a more target-rich area for an adversary to exploit, the research team also discovered known security gaps in many open-source software programs used to analyze DNA sequencing data.
A real-world attack like this could have dire consequences for computing equipment at organizations in "the DNA sequencing pipeline". When that DNA is analyzed, the code can become executable malware that attacks the computer system running the software.
In a unusual first, the researchers at the University of Washington have found a way to infect DNA strands with malicious code while DNA sequencing.
"Our DNA exploit relies on well-known vulnerabilities that the software industry has been addressing over the years", co-author Karl Koscher, a research scientist in the Security and Privacy Lab, told GeekWire in an email.
"We have no evidence to believe that the security of DNA sequencing or DNA data in general is now under attack".
"We know that if an adversary has control over the data a computer is processing, it can potentially take over that computer", says Tadayoshi Kohno, the University of Washington computer science professor who led the project, comparing the technique to traditional hacker attacks that package malicious code in web pages or an email attachment. That code could then remotely give full control of the computer to attackers. While this phenomena is known to the sequencing community, we provide the first discussion of how this leakage channel could be used adversarially to inject data or reveal sensitive information. Researchers are calling this the first "DNA-based exploit of a computer system". Software that reads DNA will translate gene letters into binary digits of 0 and 1. "After sequencing, this DNA data is processed and analysed using many computer programs". The researchers have indicated that while this approach is technically possible, it is not very easy to achieve, and that unauthorised persons may not be able to always successfully comrpomise a computer using this approach. A key caveat to their specific attack is that they disabled ASLR, an exploit mitigation technology used in all major operating systems.
A doctored biological sample could even be used as a vector for malicious DNA to be processed downstream after sequencing, and executed.
Talking about the applications, an existing DNA strand can be contaminated using a malicious DNA. For example, in 2009 you had to pay around $100,000 to sequence your human genome.
The team, however, warns that hackers could use the more typical hacking methods to target genetic data, mainly because these facilities aren't secured properly - reminds you of some recent hospital "takeovers"?
The fixes are relatively straightforward, but programmers will have to be as careful about DNA code as they are about the more usual kind of computer code. Especially given that the DNA samples come from outside sources, which may be hard to properly vet.
"This is something [the genomics industry] and the US government should be concerned about", Tadayoshi Kohno, a member of the research team and a professor at the University of Washington, tells WSJ. "It's about considering a different class of threat".
The danger of such an attack is still years away, the researchers said, adding they haven't seen evidence of hackers attempting this sort of breach. Let's not even go to that whole bio-cyber-weapon theory...