Researchers pull off DNA-based malicious code injection attack

Researchers have demonstrated that it’s possible to create synthetic DNA strands containing malicious computer code that, if sequenced and analyzed, could compromise a computer.

DNA-based malicious code injection attack

The main goal of their research was to test open-source bioinformatics software commonly used by researchers to analyze DNA data for security flaws, and to prove, unequivocally, that the security of these tools should be improved before attackers have the chance to exploit the vulnerabilities.

“Many of these [software] are written in languages like C and C++ that are known to contain security vulnerabilities unless programs are carefully written,” they explained.

“For example, most had little input sanitization and used insecure functions. Others had static buffers that could overflow. The lack of input sanitization, the use of insecure functions, and the use of overflowable buffers can make a program vulnerable to attackers; modern computer security best practices are to avoid or cautiously use these programmatic constructs whenever possible.”

During their research, they did not exploit an existing vulnerability in a DNA processing program, but introduced one similar to what they found in their earlier security analysis. Still, the result effect of the DNA-based exploit was crystal clear: the vulnerable software provided them with the capability of remotely controlling the computer on which it was installed.

DNA-based malicious code injection attack

No immediate danger

The team was quick to point out that people should not be concerned about their discovery.

For one, people are not in danger of being affected by DNA-based exploits, as they can’t affect the human genome (or that of other living beings). Secondly, the fact that they managed to create and deploy such an exploit does not mean that it could be easily delivered via, for example, a manipulated blood sample – there are many things that could go wrong and make the DNA sequencer’s output effectively unusable.

In fact, even their “attack” failed in most cases.

They also wanted to reassure the general populace that there is no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack.

“However, since DNA sequencing technologies are maturing and becoming more ubiquitous, we do believe that these types of issues could pose a growing problem into the future, if unaddressed,” they noted.

“As computer security researchers, we are interested in understanding the security risks of emerging technologies, with the goal of helping improve the security of future versions of those technologies. The security research community has found that evaluating the security risks of a new technology while it is being developed makes it much easier to confront and address security problems before adversarial pressure manifests.”

Therefore they urged the DNA sequencing community to follow secure software best practices when coding bioinformatics software, especially if it is used for commercial or sensitive purposes, and to think about other protections that could neuter such attacks (e.g. application isolation).