Researchers at the University of Washington say it's possible to hack a computer using malware stored in DNA. In other words, malware is going molecular.
There's no evidence anyone is using this for nefarious reasons—at least not yet. But researchers say "security gaps" in common, open-source DNA processing programs could make it possible—though not easy—for individuals to gain control of computer systems, access personal information, and even manipulate DNA results.
In a new paper, the team offer details of this technique and recommendations to strengthen computer security and privacy protections in DNA synthesis, sequencing, and processing.
"One of the big things we try to do in the computer security community is to avoid a situation where we say, 'Oh shoot, adversaries are here and knocking on our door and we're not prepared,'" co-author Tadayoshi Kohno, a professor at UW's Paul G. Allen School of Computer Science and Engineering, said in a statement. "Instead, we'd rather say, 'Hey, if you continue on your current trajectory, adversaries might show up in 10 years. So let's start a conversation now about how to improve your security before it becomes an issue.'"
Researchers hypothesized that it may be possible to produce malware-laden DNA strands that, if sequenced and analyzed, could compromise a computer. Through trial and error, they proved it could be done.
"To assess whether this is theoretically possible, we included a known security vulnerability in a DNA processing program," they wrote. "We then designed and created a synthetic DNA strand that contained malicious computer code encoded in the bases of the DNA strand. When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing. That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA."
- Researchers Store Full Computer Operating System on DNA Researchers Store Full Computer Operating System on DNA
You shouldn't worry too much at this point, though, according to author and Allen School Associate Professor Luis Ceze. "We don't want to alarm people or make patients worry about genetic testing, which can yield incredibly valuable information," Ceze said. "We do want to give people a heads up that as these molecular and electronic worlds get closer together, there are potential interactions that we haven't really had to contemplate before."
Co-author Lee Organick, a research scientist in the Molecular Information Systems Lab, said someone would have to overcome "lots of challenges" to pull this off. "Even if someone wanted to do this maliciously, it might not work," Organick wrote. "But we found it is possible."
The researchers plan to discuss their findings during a presentation at the USENIX Security Symposium in Vancouver on Aug. 17.