University of Washington researchers conducting a security audit of commonly used open-source processing programs for sequencing DNA have found alarming gaps in the security measures. The study (PDF) has found that the security practices throughout the field are not up to the mark. The study exposes the security risks associated with DNA sequencing, which can compromise some of the most intimate details possible of people.
The researchers have not found any evidence of malicious attacks on DNA synthesis, but the analysis of the software showed that hackers can target and compromise these systems. This could allow unauthorised actors to access personal information, get access to the intellectual property of a company, and even manipulate the DNA results. A part of the problem is that the tools for DNA sequencing were initially developed by authors who did not imagine that the technology would see an exposure to cybersecurity risks in the future. The tools are written in languages with known vulnerabilities.
The researchers also managed to hide malicious code in synthetic DNA, which turned into executable malware when the DNA was analysed by a computer. This is the first time that such a vector of attack has been demonstrated to work on a computer. The researchers have indicated that while this approach is technically possible, it is not very easy to achieve, and that unauthorised persons may not be able to always successfully comrpomise a computer using this approach.
Luis Ceze, co-author of the paper says, "We don’t want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information. We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven’t really had to contemplate before."
The team has also presented a number of best practices for tackling the problem. Organisations have been advised to think about possible vectors of attack while setting up processes, verifying DNA samples before feeding them in for analysis, monitoring, verifying and tracking the DNA samples, and developing ways to identify malicious code hidden in DNA samples. The results of the study will be presented on 17 August at the 26th USENIX Security Symposium.