Researchers from the University of Washington in Seattle have successfully encoded a malicious program into a DNA sample, that once executed by a sequencing machine would cause a buffer overflow in the analysis software an allow attackers to remotely control the computer system.
Using a short stretch of 176 DNA letters – or nucleotides – researchers were able to represent binary pairs of zeros and ones (00, 01, 10, 11) by attributing them to A, G, C, and T nucleotides. When processed by the DNA sequencing machine’s software, the string of instructions would cause a buffer overflow that would allow an attacker to execute malicious commands on the system.
“We found that existing biological analysis programs have a much higher frequency of insecure C runtime library function calls (e.g., strcpy),” reads the “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More” research paper. “This suggests that DNA processing software has not incorporated modern software security best practices.”
The biological proof-of-concept malware was able to contact a server controlled by the researchers, enabling them to remotely control the lab computer tasked with analyzing the DNA sequence. While researchers believe that this type of attack is unlikely to occur in-the-wild, they do speculate that future attacks could rely on “crafted” blood and saliva samples to compromise computer systems.
The team also said that the vulnerability exploited by the malicious DNA sample did not involve a specific software that’s currently being used by DNA sequencing machines, but a specially-designed software that was engineered to respond to the buffer overflow sequence.
“Our exploit did not target a program used by biologists in the field; rather it targeted one that we modified to contain a known vulnerability,” reads the research paper. “Our key finding is that it is possible to encode a computer exploit into synthesized DNA strands.”
While this is not the first time researchers have used innovative methods for compromising computer systems, it is the first time that DNA has been used to encode malicious code.