Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday August 11, @03:21AM   Printer-friendly
from the gives-fireeye-a-whole-new-meaning dept.

Research to be presented at the 2017 USENIX Security Symposium has shown how DNA sequencing software can theoretically be hacked using malware embedded into synthesized DNA:

Researchers at the University of Washington have shown that by changing a little bit of computer code they can insert malware into a strand of DNA that, when read by DNA sequencing software, allows them to remotely control a computer or cause it to suddenly crash.

In a related analysis, the group evaluated the security of 13 software programs commonly used for DNA analysis, and found 11 times as many vulnerabilities as are present in other types of software.

The "hack" required the team to add a buffer overflow vulnerability into the open source program fqzcomp, so it doesn't reflect a real world risk. But there may be other issues at labs:

Anyone who creates an account at DNA research institutes could also submit sequencing files that could be malicious. Additionally, since bioinformatics software isn't commonly targeted by hackers, the software isn't generally hardened to attacks. They also note patching difficulties since DNA analysis software packages are often aren't[sic] managed in a central code repository.

Quick, let's edit our genomes to add malware!

This research came too late to be used in a CSI script.

Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Snotnose on Friday August 11, @03:29AM (8 children)

    by Snotnose (1623) on Friday August 11, @03:29AM (#552092)

    to prove FOSS software is insecure. How do I get a grant to study such things?

    And how the hell can the sequenced DNA take control of a computer? Sounds like certain combinations of whatchamacallems trigger bugs in the software. Fix those bugs, and you can sequence DNA from Rigel without worrying about getting an alien virus in your computer.

    • (Score: 0) by Anonymous Coward on Friday August 11, @03:31AM (1 child)

      by Anonymous Coward on Friday August 11, @03:31AM (#552095)

      I can only hope that when I'm cloned from my DNA sample that it's not done with a Windows 30 PC.

      • (Score: 0) by Anonymous Coward on Friday August 11, @09:12AM

        by Anonymous Coward on Friday August 11, @09:12AM (#552213)

        Well there's your problem, Windows 30 has poor support for 512bit hardware. Stick to Debian 15 or Gnu/Hurd 0.1alpha

    • (Score: 2) by frojack on Friday August 11, @05:33AM (5 children)

      by frojack (1554) Subscriber Badge on Friday August 11, @05:33AM (#552135) Journal

      This is what you get when geneticists start writing computer software. Crap software.
      Any time input data can crash a piece of software you know there was an amateur involved somewhere along the line.

      Never let a scientist touch the computer or use software more complex than a spread sheet.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 0) by Anonymous Coward on Friday August 11, @05:56AM

        by Anonymous Coward on Friday August 11, @05:56AM (#552149)

        Never let a scientist touch the computer or use software more complex than a spread sheet.

        I've seen scientists doing some bad things with spread sheets...

        Anecdote: We had a researcher at our molecular genetics lab once, that somehow (we had no idea it was even remotely possible do that) managed to mess up the whole GUI of the software driving an electrophoresis gel reader, every fricking time.

      • (Score: 2) by takyon on Friday August 11, @05:58AM (2 children)

        by takyon (881) <{takyon} {at} {soylentnews.org}> on Friday August 11, @05:58AM (#552151) Journal

        And yet they still had to gene code edit a vuln in. Sad (I want hack)!

        --
        [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
        • (Score: 0) by Anonymous Coward on Friday August 11, @06:18AM (1 child)

          by Anonymous Coward on Friday August 11, @06:18AM (#552158)

          Maybe... but this research gives something to think about.

          DNA contains 4 possible nucleotides + some other "options", which allow encoding it into one byte/nucleotide. If these bytes get written beyond their buffer, they could potentially be reinterpreted by the computer as executional code, hence allowing the DNA code to be executed as a program. But in principle, this could be done with any data that's being read, it's just that they found a novel attack vector that could be used in multiple ways. Thing is that DNA sequencing is often outsourced to third party companies, requiring some trust between the parties (that you don't send them DNA-encoded malware and they don't return sequencing data with hacked sequences).

          • (Score: 2) by takyon on Friday August 11, @06:42AM

            by takyon (881) <{takyon} {at} {soylentnews.org}> on Friday August 11, @06:42AM (#552165) Journal

            It remains to be seen if this attack vector ever becomes useful. Now they've clued in the world to this possibility. Hacking a facility that routinely sequences DNA could yield very valuable data (intellectual property or "useful" genes, genomes for "high value" people, etc.)

            Bioengineering is a big deal and for some firms a loss of secret IP could lead to nearly immediate bankruptcy.

            --
            [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 0) by Anonymous Coward on Friday August 11, @01:56PM

        by Anonymous Coward on Friday August 11, @01:56PM (#552268)

        Consider the alternate: as a programmer, would you like to lend a hand? That does involve learning advanced molecular biology and genetics; and apply it in intricate bench experiments by slogging over long periods. All this for glorious compensation of around $40k (I started at $27k with my PhD).

  • (Score: 0) by Anonymous Coward on Friday August 11, @03:44AM

    by Anonymous Coward on Friday August 11, @03:44AM (#552102)

    Install it on yourself today!

  • (Score: 2) by kaszz on Friday August 11, @04:04AM

    by kaszz (4211) on Friday August 11, @04:04AM (#552107) Journal

    In the future all citizens are DNA sampled until they tried it with the citizen that had the sequence malware inside his DNA :P

    ; DROP ALL
    Q!#/olG}#$%]]],][@#+++NO CARRIER

  • (Score: 0) by Anonymous Coward on Friday August 11, @04:44AM

    by Anonymous Coward on Friday August 11, @04:44AM (#552118)

    So a biologist and a programmer walk into a bar...

    ...

    Mathematicians and physicists die laughing.

  • (Score: 0) by Anonymous Coward on Friday August 11, @05:29AM

    by Anonymous Coward on Friday August 11, @05:29AM (#552133)

    And QA is telling you to assign a float and bound-check a 4lane GPIO input...
    Well, if you have that one EE intern that gets the joke and laughs with you it's not as sad... But that guy left back to India :( Damnit Trump!!!

  • (Score: 0) by Anonymous Coward on Friday August 11, @06:07AM

    by Anonymous Coward on Friday August 11, @06:07AM (#552154)

    They also note patching difficulties since DNA analysis software packages are often aren't[sic] managed in a central code repository.

    Most labs I've seen just buy commercial packages (with a Windows installer), where the hard stuff is done by FOSS programs running behind the GUI. Some allow install of these FOSS programs from a remote server, with some updates, but there are also ones that require manual installation/updates, ur are just bundled with the package that you buy.

  • (Score: 2) by gringer on Friday August 11, @12:42PM (1 child)

    by gringer (962) on Friday August 11, @12:42PM (#552250)

    FASTQ is a file format, not a program.

    FWIW, The buffer overflow was introduced into the fqzcomp [sourceforge. net] program. The FASTQ file was "modified" by the use of synthesised DNA.

(1)