Poor computer security practices used in DNA sequencing tools
By analyzing the security hygiene of common, open-source DNA processing programs, researchers at the University of Washington (UW) confirmed that known security gaps could allow unauthorized parties to gain control of computer systems, potentially giving them access to personal information or even the ability to manipulate DNA results.
DNA is a system that encodes information in sequences of nucleotides. Rapid improvement in DNA sequencing has sparked a proliferation of medical and genetic tests that promise to reveal everything from one's ancestry to fitness levels to microorganisms that live in one's gut.
However, some open-source software programs used to analyze DNA sequencing data were written in unsafe languages known to be vulnerable to attacks, in part because they were first crafted by small research groups who likely weren't expecting much adversarial pressure.
But as the cost of DNA sequencing has plummeted over the last decade, open-source programs have been adopted more widely in medical- and consumer-focused applications.
The findings by researchers at the UW Security and Privacy Research Lab and UW Molecular Information Systems Lab will be presented August 17 in Vancouver, B.C., Canada, at the 26th USENIX Security Symposium.
In the study, according to a UW news release this week, the researchers also demonstrated for the first time that it is possible to compromise a computer system with a malicious computer code stored in synthetic DNA.
Through trial and error, the team found a way to include executable code, similar to computer worms that occasionally wreak havoc on the internet, in synthetic DNA strands.
When that DNA is analyzed, the code can become executable malware that attacks the computer system running the software, gaining control of the computer and potentially allowing the adversary to look at personal information, alter test results or even peer into a company's intellectual property.
Recommendations from the researchers to address vulnerabilities in the DNA sequencing pipeline include: following best practices for secure software, incorporating adversarial thinking when setting up processes, monitoring who has control of the physical DNA samples, verifying sources of DNA samples before they are processed and developing ways to detect malicious executable code in DNA.
Meanwhile, researchers at the UW Molecular Information Systems Lab, or MISL, are working to create next-generation archival storage systems by encoding digital data in strands of synthetic DNA.
Although their system relies on DNA sequencing, it does not suffer from the security vulnerabilities identified in the new research, in part because the MISL team has anticipated those issues and because their system doesn't rely on typical bioinformatics tools. ■