Malware stored in synthetic DNA can take over PC: Study

Discovery of a new hacking method reverberates as DNA data storage becomes more widespread

University of Washington researchers figured out a way to use biology to infect computers with malicious code.
 
In their experiments, the researchers stored malware in synthetic DNA and demonstrated how that code can compromise a computer analyzing the DNA after it has been run through a gene-sequencing machine.
 
The danger of such an attack is still years away, the researchers said, adding they haven’t seen evidence of hackers attempting this sort of breach. The experiments highlight a new type of threat that could allow sophisticated coders to gain control of computer systems if precautions aren’t taken.
 

“This is something [the genomics industry] and the U.S. government should be concerned about,” said Tadayoshi Kohno, a computer-science professor at the university and a member of the research team.

 
The team will present the results of its experiments, conducted in late 2016 and 2017, at a security symposium in Vancouver, British Columbia, Canada, on Aug. 17.
 
The hack makes use of technology in which digital bits of data are converted into synthetic DNA. Researchers believe DNA data storage could prove far more durable than stashing information on hard disks and flash drives, which last just a few years and can crash without warning. The nascent technology converts the 1s and 0s of computing’s binary code into A, C, G and T, the letters that correspond to DNA base types, adenine, cytosine, guanine and thymine.

 
As the genomics industry has blossomed, the cost and speed of producing and sequencing those synthetic strands has dropped dramatically. At some point, it is conceivable hackers could harness those tools to exploit vulnerabilities.
 
Once a data file, such as a book or video, is converted, it can be reproduced into physical strands of synthetic DNA. The data can be retrieved by running the strands through DNA sequencing machines.

The technology makes it possible for hackers to create malware in synthetic DNA as well. The Washington researchers did that, designing a DNA strand containing malicious code to take over a computer and running strand through a genetic-sequencing machine. When that sequence is analyzed by PC software, it triggers the malware, giving the team full control over the computer.

 
In theory, hackers could mix synthetic DNA strands containing malware into a solution and send it to a lab for sequencing. Once they gained control of computers, the hackers could launch other attacks, similar to efforts to gain control of PCs by tricking users into unknowingly running executable codes.
 
Companies that create synthetic DNA take steps to prevent human-made viruses, the Washington research team said. But they believe no systems are in place to prevent the creation of DNA strands containing human-made computer malware.
 
“They certainly aren’t checking for things that are computer code,” said Peter Ney, a doctoral student in computer science on the Washington team.

 
For hackers lacking the researchers’ technology and expertise, there still are many challenges to pulling this exploit off. The biggest is creating the code to be turned into DNA strands, which remains arduous. What’s more, hackers need to find vulnerabilities to target in the software that sequencing companies use, the same way they would in trying to exploit a PC’s operating system.
 
The researchers said that is why they published the findings now, believing their work might help the genomics industry understand the potential risk and take steps to mitigate it.
 
“If industry does its job well, it’s a problem that will never manifest,” Dr. Kohno said.