Researchers at the University of Washington have shown that it is possible to take over a computer using malware inserted into strands of DNA, which could theoretically make systems used in molecular biology vulnerable to a whole new attack vector.
The researchers published a paper detailing their findings, and explained its work in a more readable essay on its web site. They’ve proven that it is possible to take a strand of DNA and create malicious code that when inserted into the gene-sequencing process, could allow an attacker to gain control of that system.
“To the best of our knowledge, ours is the first example of compromising a computer system using biological or synthetic DNA samples,” the UW researchers wrote in their paper.
DNA sequencing has become an extremely popular tool in biological research, as it can provide valuable information about how diseases develop over time or how genetic diseases are passed on in hopes of developing treatments. This process has become far less expensive and time-intensive as computing power has soared, but inserting computers into the process without properly accounting for security could leave these DNA sequencing systems vulnerable.
The researchers were able to synthesize DNA strands — another important technique used in medical research — with malicious code hidden among the four basic DNA codes. Once that synthetic strand was processed through a computer with a security vulnerability put there by the researchers to prove the concept, they were able to gain control of that computer.
Why would anybody want to do this? One example listed in the paper showed that blood samples infused with these malicious synthetic DNA strands could be sent to a lab and used to gain control of that lab’s network, which could provide a ton of valuable data on sequencing techniques or technological advances that could be quite valuable to the right buyer.
The researchers emphasized that this is an extremely early experiment in what might be possible, but that they’re publishing their findings in hopes that the medical research community starts to think more seriously about computer security.
And if you’re already thinking about the plot of a science-fiction spy thriller based on these findings, the researchers also emphasized that these synthetic strains can’t be used to put a computer virus in people. “Our exploit shows that specifically designed DNA can be used to affect computer programs, not living organisms themselves,” they wrote.
The researchers will discuss the paper at the USENIX Security Symposium next week.