DNA is nothing but executable quaternary code. Of course, DNA sequencers don’t execute it, leaving this job for the cells, which are supposed to do it. Of course, they treat the DNA sequences as any usual data input.
Or not? Probably, they trust it too much as nobody seriously expect an exploit being built into the DNA analysed, while most developers dealing with user input have to prevent code injections and various types of overflow exploitations.
“We analyzed open-source bioinformatics tools that are commonly used by researchers to analyze DNA data,” the Researchers who managed to hack a sequencer with a crafted DNA explain. “Many of these are written in languages like C and C++ that are known to contain security vulnerabilities unless programs are carefully written. In this case the programs did not follow computer security best practices. For example, most had little input sanitization and used insecure functions. Others had static buffers that could overflow. The lack of input sanitization, the use of insecure functions, and the use of overflowable buffers can make a program vulnerable to attackers; modern computer security best practices are to avoid or cautiously use these programmatic constructs whenever possible.”
A sequencer nowadays is just another device connected to PC. While parsing DNA, it stores each base in two bits as they allow for four combinations of values, one per each possible DNA base.
So, the researchers took a sequencer with a known vulnerability, designed a malicious DNA molecule, and synthesized it. After that, all they needed was to run the procedure.
As the result, arbitrary code stored in the DNA was run on the PC.
The researchers underline we have nothing to worry about right now since there’s no need for anyone to carry out such an attack, and there are no attacks of that kind detected in the wild. However, the risks may increase in the future.
“We have no reason to believe that there have been any attacks against DNA sequencing or analysis programs,” they explain. “A primary goal of this study was to better understand the feasibility of DNA-based code injection attacks. Our DNA-based exploit is hypothetical, compromising a program that we intentionally modified to include a vulnerability. We also know of no efforts by adversaries to compromise computational biology programs.”
“However, since DNA sequencing technologies are maturing and becoming more ubiquitous, we do believe that these types of issues could pose a growing problem into the future, if unaddressed. We therefore believe that now is the right time to begin hardening the computational biology ecosystem to cyber attacks.”
The researchers, two of which are doctoral students and one is a research scientist, conducted the experiment at Paul G. Allen School of Computer Science & Engineering of the University of Washington. They published the peer-reviewed paper at the 2017 USENIX Security Symposium.