While the constant creativity demonstrated by cyber criminals often leaves people wondering about
the future of cyber-attacks, a weird and frankly, pretty scary way has recently come to light- and it’s using DNA! Yes, you read that right.
First question, why would anyone want to hack DNA? Well for starters, if you have been watching any of the popular crime and forensics TV series or reading crime novels you might have insight into where DNA hacking could be of use; like, tampering with blood, hair or saliva samples and injecting them with malware to alter the DNA sequences which might make it difficult to catch the suspect.
And while that sounds like something from the realm of science fiction, researchers from the University of Washington, for the first time were able to figure out that code could be injected into DNA strands that when run through a gene sequencer- just a machine used to analyze DNA- execute a program that could alter or corrupt the sequencing software and take control of the underlying computer.
Getting a bit technical, it appears researchers used the DNA’s four chemical bases called adenine, cytosine, guanine and thymine – A, C, G and T – to encode their malware which was then read by a DNA sequencing device which converted the molecular code into a computer code capable of taking over the computer connected to the DNA sequencer by exploiting it.
According to the research paper released by the University of Washington, the diagram at the start of this blog explains their technique. This attempt uses an obscure feature of bash which exposes virtual /dev/tcp devices that create TCP/IP connections. That feature was used to redirect stdin and stdout of /bin/sh to a TCP/IP socket, which connects back to their server. They combined this tactic with a return-to-libc attack that calls system(), resulting in a 43-byte exploit. They used a short, fully qualified domain name that they controlled as well as a single digit port number to keep exploit length as short as possible.
The sample was then sequenced on all four lanes, that is physically separate portions, of the flow cell. After demultiplexing by indices, there were four separate FASTQ files, one for each lane, together containing 811,118 reads. They processed the four FASTQ files separately and filtered out low-quality reads that did not identify one or more bases; these bases appear as Ns (representing an unknown base) in the FASTQ file. They provided the filtered FASTQ file from the first lane to their modified fqzcomp program, which immediately called back to their server, giving them arbitrary remote code execution via a bash shell.
While all this is no doubt highly impressively and quite frankly, a bit sensational, we don’t have panic…yet. This hack was successful only because of the weakness in the DNA sequencing software and this very specific case. The researchers claim that they do not have any evidence of DNA sequencing or data that is currently under attack.
However, this attempt proves that we may consider DNA sequencing attacks as a possible threat in the future of cybersecurity. Especially when back in 2016, scientists found a way to store/retrieve digital images in DNA! – More on that in later posts.
Sources: theguardian.com, wired.com