A team of scientists from the University of Washington have figured out how to infect a computer using malicious code inside DNA. This attack vector isn't aimed at your everyday PC sitting on your desk at home or in the office; this hack aims directly at the infrastructure around the DNA transcription and analysis industry. The team behind the hack was concerned about the security with that infrastructure after finding basic vulnerabilities in some of the open-source software used in labs that analyze DNA all around the world.
While the basic issues with the software could be vulnerable to hacks using traditional tools, like malware and viruses, the team of researchers went the extra mile and devised what appears to be the first time in history malicious code packed inside a strand of DNA was used to attack a computer system. This attack vector works because the software the DNA analysis equipment runs is basically turning the building blocks of DNA into binary data.
You probably remember those DNA building blocks from school that include cytosine (C), thymine (T), adenine (A), and guanine (G). The transcription application used in the attack reads the raw data from the transcription and looks for patterns in base sequences and then converts that into binary code.
"The conversion from ASCII As, Ts, Gs, and Cs into a stream of bits is done in a fixed-size buffer that assumes a reasonable maximum read length," explained co-author Karl Koscher when asked for more technical information by TechCrunch.
The team then devised a buffer overflow attack, however, they did have to introduce a vulnerability to the software themselves to make the attack work. The team points out that similar vulnerabilities are present elsewhere.
"The exploit was 176 bases long," Koscher wrote. "The compression program translates each base into two bits, which are packed together, resulting in a 44 byte exploit when translated."
"Most of these bytes are used to encode an ASCII shell command," he continued. "Four bytes are used to make the conversion function return to the system() function in the C standard library, which executes shell commands, and four more bytes were used to tell system() where the command is in memory."
In a nutshell, once the DNA is converted into binary by the software, the exploit is able to execute commands in the system. While all the researchers did was show that you could execute commands in the system, the team says that there is room for more code if you wanted to do more than simply break out of the app. The DNA strand used in the exploit has 176 bases and is said to be very small; in other words there is plenty of room inside DNA for more complex attacks.
There is one important tidbit to squash the fear this might raise in some, one of the researchers noted that it's very difficult and there are many challenges ahead to get the doctored DNA sample into the sequencer for analysis. Team member Lee Organick said, "However, getting the malicious DNA strand from a doctored sample into the sequencer is very difficult with many technical challenges,” she continued. “Even if you were successfully able to get it into the sequencer for sequencing, it might not be in any usable shape (it might be too fragmented to be read usefully, for example)." This type of attack clearly requires a much more complicated attack vector than a more common attack like hacking your Amazon Echo speaker to listen to your conversations.