Even in March this year, a team of researchers successfully stored digital data — an entire operating system, a movie, an Amazon gift card, a study and a computer virus — in the strands of DNA.
But what if someone stores a malicious program into the DNA, just like an infected USB storage, to hijack the computer that reads it.
A team of researchers from the University of Washington in Seattle have demonstrated the first successful DNA-based exploit of a computer system that executes the malicious code written into the synthesised DNA strands while reading it.
To carry out the hack, the researchers created biological malware and encoded it in a short stretch of DNA, which allowed them to gain "full control" of a computer that tried to process the genetic data when read by a DNA sequencing machine.
The DNA-based hack becomes possible due to lack of security in multiple DNA processing software available online, which contains insecure function calls and buffer overﬂow vulnerabilities.
"We analysed the security of 13 commonly used, open source programs. We selected these programs methodically, choosing ones written in C/C++," reads the research paper [PDF], titled "Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More."
"We found that existing biological analysis programs have a much higher frequency of insecure C runtime library function calls (e.g., strcpy). This suggests that DNA processing software has not incorporated modern software security best practices."To create the biological malware, the researchers translated a simple computer program into a short stretch of 176 DNA letters, denoted as A, G, C, and T, each representing a binary pair (A=00, C=01, G=10, T=11).
The exploit took advantage of a basic buffer overflow attack, in which a software program executes the malicious command because it falls outside maximum length.
The command then contacted a server controlled by the team, from where the researchers took control of a computer in their laboratory they were using to analyse the DNA file.
"Our exploit did not target a program used by biologists in the ﬁeld; rather it targeted one that we modiﬁed to contain a known vulnerability," the researchers said.Although this kind of hack probably doesn't pose any threat anytime soon, the team warned that hackers could in future use fake blood or spit samples to gain access to computers, steal information, or hack medical equipments installed at forensic labs, hospitals and the DNA-based data storage centers.
The researchers will be presenting this first "DNA-based exploit of a computer system" at the next week's Usenix Security Symposium in Vancouver. For the more in-depth explanation on the DNA-based hack, you can head on to the research paper.