It is comprised of four different “nucleotides,” which combine in different ways to provide genetic instructions for different outcomes. I like to think of it like binary machine code where the combinations of 0’s and 1’s are combined to define a program for a computer to execute. This is probably a common analogy since scientists have been encoding digital data into organic DNA for a while now.
This is exactly what Tadayoshi Kohno at the University of Washington was thinking about when he and his team devised the experiment to encode a malicious virus in DNA — a virus that doesn’t compromise humans, but computers. While much of scientists’ work with DNA happens with organic materials, some of it requires computers to decode the DNA information into a digital format and this is where the research team focused their attack.
The team admits that they created the “best possible environment” in which to test their theory. They changed the source code of the fqzcomp DNA compressor to include a fixed data buffer which would be vulnerable to a buffer overflow attack. The next step was to encode the buffer overflow data into synthetic DNA. Encoding digital information into DNA that uses only four nucleotides with physical restrictions on the combinations is challenging and took many iterations, but the team was eventually able to come up with a viable formula and it was sent to Integrated DNA Technologies for synthesis.
When the vial of DNA was received from the synthesis service, the team now had a computer program vulnerable to the exploit encoded on that DNA and the test was ready to go. They sequenced the DNA samples using the known-vulnerable fqzcomp compressor and 37% of the time the attack was successful — the buffer overflow compromised the computer system and could have granted unauthorized access to the perpetrators.
“[the] attack was fully translated only about 37 percent of the time since the sequencer’s parallel processing often cut it short or—another hazard of writing code in a physical object—the program decoded it backward. (A strand of DNA can be sequenced in either direction, but a code is meant to be read in only one. The researchers suggest in their paper that future, improved versions of the attack might be crafted as a palindrome.)”, reads the Wired Magazine.
Is this a viable attack? It depends on many factors. The bad guys would have to compromise software used in the DNA sequencing and analysis stages like these researchers did. Or they would have to find existing vulnerabilities in the software currently being used (not hard to imagine when you realize how many vulnerabilities exist in all software.) The bad guys would also have to arrange for the target to receive a sample of the specially crafted malicious DNA, or find a vulnerability that could be exploited by known samples that did not require modification. There are a variety of ways the DNA processes could be compromised but for now, they are all complex with a low probability of success. It will take a lot of (financial) motivation or time for malicious researchers to make these attacks viable. But we know it is possible, so we can start to think about the implications now.
About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.