Study finds poor computer security practices in DNA sequencing

A new study from University of Washington researchers finds evidence of poor computer security practices used in DNA sequencing tools.

By analyzing the security hygiene of common, open-source DNA processing programs, researchers confirmed that known security gaps could allow unauthorized parties to gain control of computer systems, potentially giving them access to personal information or even the ability to manipulate DNA results.

The DNA is a system that encodes information in sequences of nucleotides. Rapid improvement in DNA sequencing has sparked a proliferation of medical and genetic tests that promise to reveal everything from one's ancestry to fitness levels to microorganisms that live in one's gut.

Researchers from the University of Washington find evidence of poor computer security practices used in DNA sequencing tools.

Some open-source software programs used to analyze DNA sequencing data were written in unsafe languages known to be vulnerable to attacks, in part because they were first crafted by small research groups who likely were not expecting much adversarial pressure.

As the cost of DNA sequencing has plummeted over the last decade, open-source programs have been adopted more widely in medical- and consumer-focused applications.

Lee Organick (left), Karl Koscher (center) and Peter Ney from the UW’s Molecular Information Systems Lab and the Security and Privacy Research Lab prepare the DNA exploit for sequencing.

In the study, according to a University of Washington news release this week, the researchers also demonstrated for the first time that it is possible to compromise a computer system with a malicious computer code stored in synthetic DNA.

Through trial and error, the team found a way to include executable code, similar to computer worms that occasionally wreak havoc on the Interned, in synthetic DNA strands.

When that DNA is analyzed, the code can become executable malware that attacks the computer system running the software, gaining control of the computer and potentially allowing the adversary to look at personal information, alter test results or even peer into a company's intellectual property.

This output from a sequencing machine includes the UW team’s exploit, which is being sequenced with a number of unrelated strands. Each dot represents one strand of DNA in a given sample.

Recommendations from the researchers to address vulnerabilities in the DNA sequencing pipeline include: following best practices for secure software, incorporating adversarial thinking when setting up processes, monitoring who has control of the physical DNA samples, verifying sources of DNA samples before they are processed and developing ways to detect malicious executable code in the DNA.

(ASIA PACIFIC DAILY)