How’s that for a security threat? A hidden backdoor in lab software that activates when it receives a specially crafted digital DNA sample.
Typically, this backdoor would be introduced in a supply chain attack, as we saw with compromised SolarWinds monitoring tools. When the lab analysis software processes a digital sample of genetic material with the encoded trigger, the application’s backdoor activates: the trigger can include an IP address and network port to secretly connect to, or other instructions to execute, allowing spies to spy on and interfere with the DNA processing pipeline.
It could be used to infiltrate national health institutions, research organizations and healthcare companies, as few have recognized the potential of biological material as a vector or trigger for malware. Just as you can use the DNA of living bacteria to store information, this storage can be weaponized against applications processing this data.
When you look at a typical sequencing process, the DNA strands enter a sequencer, which creates a digital file that the computer connected to the sequencer analyzes. As you can imagine, this is how you can introduce malicious but otherwise valid and sanitized data into a lab, via a sample sent for processing.
Sasitharan Balasubramaniam of the University of Nebraska, one of the leaders of a recent exploration of these vulnerabilities and what they mean for the emerging field of bio-cybersecurity, detailed this threat – as well as ways to strengthen it and detect it in time.
This is not science fiction
In 2017, in one of the few biosafety research projects focused on DNA sequencing, researchers at the University of Washington synthesized DNA so that when converted into a digital file and introduced into an application, a security flaw was exploited to open a backdoor network connection. . This search was based on a vulnerability present in the code, accidentally or deliberately introduced.
The new effort builds on that and involves Trojan horse software and a simple little trigger in DNA. “What’s important here in our work is that we’ve looked at all the ways to hide this in the DNA and all the most effective ways to do it so that the code can’t be found,” explained Balasubramaniam.
“There is a concept in DNA research called steganography, which is frequently used in DNA coding. Using this, we could hide this little piece of code very effectively.”
The good news is that by using a deep learning technique developed by his team, it is possible to spot sneaky manipulations of DNA. More explanation about this in the team log.
Importantly, the threat goes far beyond healthcare companies or national health services. At stake is not just the possibility of human patient data being manipulated once the systems are compromised. Think of a large agricultural research company with massive volumes of genetic research.
“What we are saying here is that the impact is significant: we need to rethink the way systems are secured, not only from the management and storage of this data, but also from the way the data are sequenced and processed,” Balasubramaniam said.
He and his team are not yet aware of this overhaul happening in real organizations, but the risk is pressing and requires a new focus on biocybersecurity research. When The register Asked if the sequencing companies were aware of this threat, Balasubramaniam replied no.
“We want to create awareness so that these companies don’t just think about anti-malware from a cyber-infrastructure perspective, but also from a bio-infrastructure perspective.” ®