Malware Encoded Into DNA Hacks the Computer that Reads It
Even in March this year, a team of researchers successfully stored digital data — an entire operating system, a movie, an Amazon gift card, a study and a computer virus — in the strands of DNA.
But what if someone stores a malicious program into the DNA, just like an infected USB storage, to hijack the computer that reads it.
A team of researchers from the University of Washington in Seattle have demonstrated the first successful DNA-based exploit of a computer system that executes the malicious code written into the synthesised DNA strands while reading it.
To carry out the hack, the researchers created biological malware and encoded it in a short stretch of DNA, which allowed them to gain "full control" of a computer that tried to process the genetic data when read by a DNA sequencing machine.
The DNA-based hack becomes possible due to lack of security in multiple DNA processing software available online, which contains insecure function calls and buffer overﬂow vulnerabilities.
"We analysed the security of 13 commonly used, open source programs. We selected these programs methodically, choosing ones written in C/C++," reads the research paper [PDF], titled "Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More."
"We found that existing biological analysis programs have a much higher frequency of insecure C runtime library function calls (e.g., strcpy). This suggests that DNA processing software has not incorporated modern software security best practices."
Although this kind of hack probably doesn't pose any threat anytime soon, the team warned that hackers could in future use fake blood or spit samples to gain access to computers, steal information, or hack medical equipments installed at forensic labs, hospitals and the DNA-based data storage centers.
The researchers will be presenting this first "DNA-based exploit of a computer system" at the next week's Usenix Security Symposium in Vancouver.