Could your DNA be used as a vector for attack on devices and networks? The short answer is yes, kind of. As the line blurs everyday between science fiction and reality the incidents of security breaches are becoming more complex and deep. At the Usenix Security Conference, a group of researchers from the University of Washington presented a paper to show how they wrote malware to specifically hijack industry standard gene-sequencing devices. This was accomplished by encoding the malware into a strand of DNA. One the gene sequencer device reads the DNA strand it becomes corrupted and can be controlled remotely by an attacker.
The success rate of the attack was not high but it was not low either, as the attack was successful 37% of the time. Additionally the researchers intentionally used a weakened version of sequencing software. However, the ability to use DNA as a vector for malware transmission was proven and certainly opens up the new vulnerabilities for organizations.
Tadayoshi Kohno, the computer science professor in charge of the project has stated that the method of packaging malicious code was very similar to how you embed malware into a web page or email attachment. Kohno has stated
“…when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”
Science Fiction or Dangerous Paradigm Shift?
This new threat class discovery will have implications for the future though. Especially as genetic data becomes more integrated in both healthcare and financial institutions. In addition to that crime labs are also at threat from this new class. DNA-based malware attacks are a very realistic scenario considering that DNA samples often come from outside sources to labs and testing facilities. There are many points along the supply chain where the DNA could be encoded with malware to corrupt the laboratory that sequences it. As a researcher on the project, Peter Ney stated,
“There are a lot of interesting, or threatening may be a better word, applications of this coming in the future.”
Consider the impact that botnet malware is having on the internet of things where it is able to move across a network to control unsecured devices which give control to a remote hacker. The opportunity for the hacker to then move to exploit vulnerabilities in the network and steal information is made easy. The applications for DNA-based malware are near limitless and could cause new levels of sabotage across institutions.
Potential Prevention Method: Log Monitoring
Given that gene-sequencing devices are on a network like any other device they will generate log data as well that can help in IT forensic analysis. Having a system in place to analyze log data across a network would be extremely helpful for detection and prevention of a data breach. This is where security information and event management (SIEM) solutions come in. SIEM is the is activity of tracking, collecting, and analysis of log data. SIEM software often identifies behavioral patterns, defines a “normal” or baseline for devices and users, and monitors for deviations from the baseline. SIEM software does not usually take action on findings, but provides very actionable data for security teams. However there may have to be some updates to accommodate for this new class of threat for proper detection.
The line between science fiction and reality are blurring day by day which is producing some exciting and threatening future scenarios.