10 August, 2017
It is well known in computer security that any data used as input into a program may contain code created to compromise a computer.
The research was carried out at the University of Washington. Through trial and error, the team found a way to include executable code-similar to computer worms that occasionally wreak havoc on the internet-in synthetic DNA strands.
This command was created to target a particular flaw that the team had previously discovered in the DNA processing programme.
When such an infected DNA interacts with a computer, the code could hack that system and take control.
By encoding malware into strands of the human DNA, the researchers were able to infect a gene-sequencing machine by corrupting the software it runs on. "Thus, while scientifically interesting, we stress that people today should not necessarily be alarmed, as we discuss both above and below". "We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven't really had to contemplate before". The natural stability of DNA depends on a regular proportion of A-T and G-C pairs, and while a buffer overflow often involves using the same strings of data repeatedly, doing so in this case caused the DNA strand to fold in on itself, necessitating the repeated rewriting of their exploit code to find a form that could survive as DNA, which the synthesis service would ultimately send them in the mail.
A doctored biological sample could even be used as a vector for malicious DNA to be processed downstream after sequencing, and executed.
The hack was done as a call to arms to the genetic data processing community to ensure best practices, and to prompt a discussion about the regulations around DNA sequencing.
It should be noted that the exploit created by the researchers didn't target any specific program used by biologists; rather it targeted a modified program with known vulnerability.
"We have no reason to believe that there have been any attacks against DNA sequencing or analysis programs", the researchers wrote. "The DNA sequence we designed for this paper does not have any biological significance".
Co-author Dr Lee Organick added: 'To be clear, there are lots of challenges involved. "Even if someone wanted to do this maliciously, it might not work".
"We look at emerging technologies and ask if there are upcoming security threats that might manifest, so the idea is to get ahead", says Peter Ney, a graduate student in Kohno's Security and Privacy Research Lab.
The tiny movie, consisting of just five frames, shows a thoroughbred mare named Annie G galloping in 1887. If hackers managed to use this technique to infect DNA with the same exploit, they could potentially change test results and gain access to personal information and a company's intellectual property. One is that the kind of malicious DNA coding devised by the UW team wouldn't affect how living organisms work.
For the GIF, sequences are delivered frame-by-frame over time to living bacteria, where they are inserted into the genome in the order that they were delivered.
This pipeline includes any facility that accepts DNA samples for computer-based gene sequencing and processing.
Because the CRISPR system adds DNA snippets sequentially, the position of each snippet in the array could be used to determine the original frame to which the snippet belonged - allowing the "movie" to be reconstructed.