New Security Worry: DNA-borne Malware

　　University of Washington researchers have demonstrated that biohackers, using widely available tools, could embed malware in synthesized strands of deoxyribonucleic acid that would allow them to take over the computer analyzing the DNA. They will present their work in Vancouver, B.C., next week at the 2017 USENIX Security Symposium.

　　Infecting computers with viruses, worms, Trojan horses, backdoors, or worse has always been the domain of digital software written by nefarious programmers. But the UW researchers turned the tables on that model, infecting a strand of DNA with malware that corrupted the gene-sequencing software analyzing the DNA and took control of a computer connected to the gene sequencer.

　　The hack proves that biological DNA can infect computers, according to UW professor Tadayoshi Kohno, a malware whistleblower who earlier brought attention to vulnerabilities in Internet-connected automobiles and implantable medical devices. Computers so affected could misrepresent the genetic profiles so coveted by doctors to cure diseases; could result in synthetic organisms that harm humans; or could perform more traditional malware functions, such as turning computers into slaves of the hackers that could access personal profiles, alter test results, steal intellectual property, or even hold DNA databases hostage in ransomware attacks.

　　Kohno said the potential vulnerability occurred to him after he noticed the similarity of computer code’s ones and zeros to the C’s, G’s, T’s, and A’s that encode strands of DNA. After some digging, he discovered that developers of widely available open-source software for analyzing DNA genetic codes had never considered the possibility of encoding malware on synthetic DNA strands and thus had not invoked security protocols to prevent it. Even the most commonly known security practices are absent from their programming, especially the open-source suites in common use today, he said.

　　Kohno emphasized that there are no known cases of hackers’ actually synthesizing malware DNA — yet. As the practice of sequencing the genetic code of adults, children, and even embryos becomes more widespread, however, the security gaps that could allow malware infections must be plugged. The UW researchers conducted their work at the university’s Security and Privacy Research Lab with funding from the UW Tech Policy Lab, the Short-Dooley Professorship, and the Torode Family Professorship. Along with releasing their findings, the team is proposing concrete means and policies that DNA-analysis software developers can implement immediately to prevent hackers from taking advantage of existing vulnerabilities.

　　Meanwhile, in the adjacent Molecular Information Systems Lab at UW, researchers are hard at work creating secure systems to sequence, analyze, and store strands of synthetic DNA.