Story image

Malware in your DNA sequence data? Technically, it’s possible

11 Aug 17

Could hackers exploit your DNA sequence and encode it with malware? A new study from the University of Washington says yes, it’s possible – and may be a look into the future of science security.

A new research paper, called Computer Security, Privacy and DNA Sequencing, looks at how malware creators could potentially take DNA sequencing information, lace it with malware and then infect scientific computers.

Modern DNA sequencing techniques are able to run hundreds of millions of DNA strands at any one time, and the computing power behind those techniques must process, analyse and store those strand sequences.

The research paper, written by Peter Ney, Karl Koscher, Lee Organick, Luis Ceze and Tadayoshi Kohno, says that while it hasn’t yet been a target for adversaries, there is a real change it could happen in future.

Many open source DNA processing programs were written in languages known to have security problems such as C and C++, and the researchers say that security sequencing is not up to scratch when it comes to defending against cyber attackers.

“We stress that our target modified program has a known, and in some sense trivial, vulnerability. We also stress that its environment is in many ways the “best possible” environment for an adversary,” the researchers say in their report.

It is entirely possible to create synthetic DNA strands with malicious computer code. That code could then remotely give full control of the computer to attackers.

Researchers say that some DNA sequencing programs have been developed by specific research communities so it would be difficult for attackers to take advantage of these programs, but theoretically it is possible.

“Although used broadly by biology researchers, many of these programs are written by small research groups and thus have likely not been subjected to serious adversarial pressure. We therefore hypothesize that the rate of serious vulnerabilities will be higher here than in more mature software (e.g., Internet services).”

Researchers also say that as DNA sequencing becomes cheaper, it also brings more opportunities for attackers. Wet labs as a service, in which non-experts can use lab techniques, could also increase the possibility of attack. Finally storing DNA sequence data in cloud services also poses risks.

However, the researchers say that there’s no reason for concern – yet.

“We again stress that there is no cause for people to be alarmed today, but we also encourage the DNA sequencing community to proactively address computer security risks before any adversaries manifest. That said, it is time to improve the state of DNA security,” a statement concludes.

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.