Aug 31, 2017 | By Stone Tillotson
A novel approach by researchers at the University of Washington (UW) relies on encoding cybersecurity exploits into DNA sequences, which when processed, can compromise affected DNA sequencers and analysis engines. By carefully crafting DNA sequences, the research team was able to devise a sequence which was both a physically possible, was short enough to be preserved through the analysis process, and contained an encoded exploit. Typically, the results of the sequencing process would then be written to file for post-processing and analysis, and it was this analysis system that was the end goal of the attack. The team was able to demonstrate a functional, if short, compromise on their demonstration setup, proving the end-to-end nature of the attack vector. While noting several simplifying departures in their experimental setup, the UW team also noted that lab equipment, much like SCADA and medical devices, weren't built with security in mind, making this attack and others like it, a realistic possibility.
IISP Analyst Stone Tillotson: "The UW team deserves a lot of credit for starting a conversation about the possibility of this attack vector now. This attack vector offers the possibility to compromise the infrastructure which undergirds both the modern criminal investigatory apparatus and pharmaceutical industries. A compromised sequencer or its downstream analyzer could silently commit industrial espionage, or worse, tamper with the results of a criminal investigation. In fact, the UW team found that control programs for the sequencing and analysis process often reflected a relaxed attitude toward security concerns and often made use of unsafe practices, so the testing setup might not be far off the mark. The most frightening possibility emerging from all of this is: What if a lab used for analyzing evidence in criminal cases were found to be compromised? The 2012 revelation that Massachusetts lab technician Annie Dookan was found to be fabricating test results in criminal cases lead to the overthrow of some 20,000 drug convictions. Such an outcome is only the more terrifying when considering on what kind of cases DNA evidence is usually collected. Hopefully, the UW team's work will start to push lab equipment manufacturers in the same direction as SCADA went last decade before the otherwise inevitable, bone-chilling results."
For further reading
- Research Paper: https://dnasec.cs.washington.edu/dnasec.pdf
- GenEng News: http://www.genengnews.com/gen-news-highlights/malware-hidden-in-synthetic-dna-could-infect-sequencing-systems/81254793
- Boston Globe: https://www.bostonglobe.com/metro/2017/04/18/prosecutors-file-lists-thousands-dookhan-cases-for-dismissal/VTLYebLQ1BbtyQOyJmENoI/story.html