University of Washington scientists have created an experiment that shows how DNA can be used to not only create biologic viruses, but also viruses that can infect computers.

It is comprised of four different “nucleotides,” which combine in different ways to provide genetic instructions for different outcomes. I like to think of it like binary machine code where the combinations of 0’s and 1’s are combined to define a program for a computer to execute. This is probably a common analogy since scientists have been encoding digital data into organic DNA for a while now.

This is exactly what Tadayoshi Kohno at the University of Washington was thinking about when he and his team devised the experiment to encode a malicious virus in DNA — a virus that doesn’t compromise humans, but computers. While much of scientists’ work with DNA happens with organic materials, some of it requires computers to decode the DNA information into a digital format and this is where the research team focused their attack.

The team admits that they created the “best possible environment” in which to test their theory. They changed the source code of the fqzcomp DNA compressor to include a fixed data buffer which would be vulnerable to a buffer overflow attack. The next step was to encode the buffer overflow data into synthetic DNA. Encoding digital information into DNA that uses only four nucleotides with physical restrictions on the combinations is challenging and took many iterations, but the team was eventually able to come up with a viable formula and it was sent to Integrated DNA Technologies for synthesis.

When the vial of DNA was received from the synthesis service, the team now had a computer program vulnerable to the exploit encoded on that DNA and the test was ready to go. They sequenced the DNA samples using the known-vulnerable fqzcomp compressor and 37% of the time the attack was successful — the buffer overflow compromised the computer system and could have granted unauthorized access to the perpetrators.

“[the] attack was fully translated only about 37 percent of the time since the sequencer’s parallel processing often cut it short or—another hazard of writing code in a physical object—the program decoded it backward. (A strand of DNA can be sequenced in either direction, but a code is meant to be read in only one. The researchers suggest in their paper that future, improved versions of the attack might be crafted as a palindrome.)”, reads the Wired Magazine.

Is this a viable attack? It depends on many factors. The bad guys would have to compromise software used in the DNA sequencing and analysis stages like these researchers did. Or they would have to find existing vulnerabilities in the software currently being used (not hard to imagine when you realize how many vulnerabilities exist in all software.) The bad guys would also have to arrange for the target to receive a sample of the specially crafted malicious DNA, or find a vulnerability that could be exploited by known samples that did not require modification. There are a variety of ways the DNA processes could be compromised but for now, they are all complex with a low probability of success. It will take a lot of (financial) motivation or time for malicious researchers to make these attacks viable. But we know it is possible, so we can start to think about the implications now.

About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter. has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter. Pierluigi Paganini (Security Affairs – DNA, malware)

Share this...

Linkedin Reddit Pinterest

Share On