Biologists Infect PC with Malicious Code Written into DNA
A team of biologists and security researchers have infected a computer with a malicious program coded into a strand of DNA, fuelling further concerns over bio-security threats.
According to Tech Crunch, the multidisciplinary team at the University of Washington were concerned that the security infrastructure around DNA transcription and analysis was inadequate, after finding elementary vulnerabilities in open-source software used in labs around the world.
“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said Professor Tadayoshi Kohno, who was a history of pursuing unusual attack vectors for embedded and niche electronics like pacemakers.
Co-author of the study, Luis Ceze, added, “As these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before.”
The transcription application reads the raw data coming from the transcription process and sorts through it, looking for patters and converting the base sequences it finds into binary code.
Lee Organick, a research scientist who worked on the project, explained, “A doctored biological sample could indeed be used as a vector for malicious DNA to get processed downstream after sequencing and be executed.
“However, getting the malicious DNA strand from a doctored sample into the sequencer is very difficult with many technical challenges. Even if you were successfully able to get it into the sequencer for sequencing, it might not be in any usable shape.”
The reason behind the study is because the authors want people thinking about the potential avenues of attack, and be prepared for them.
Co-author, Karl Koscher, concluded, “I would treat any input as untrusted and potentially able to compromise these applications. It would be wise to run these applications with some sort of isolation to contain the damage an exploit could do. Many of these applications are also run as publicly-available cloud services, and I would make isolating these instances a high priority.”