But with great ubiquity comes great vulnerability. DNA is commonly used in forensics, so if troublemakers could hack sequencing machines or software, they could change the course of an investigation by altering genetic data. Or, if machines are processing confidential data about genetically modified organisms, hackers could steal intellectual property.
There’s also the matter of personal genetic data. The United States is currently trying to sequence the DNA of at least 1 million Americans to pave the way for precision medicine, where treatments are tailored to an individual’s genes. “That data is very sensitive,” says Peter Ney, a student in Kohno’s lab. “If you can compromise [the sequencing pipeline], you could steal that data, or manipulate it to make it seem like people have genetic diseases they don’t have.”
“We want to understand and anticipate what the hot new technologies will be over the next 10 to 15 years, to stay one step ahead of the bad guys,” says Kohno. In 2008, his team showed that they could wirelessly hack their way into a heart implant, and reprogram it to either shut down or deliver debilitating jolts. In 2010, they showed that they could hack into the control system of a Chevrolet Impala, taking control of the car. Then, they turned their attention to DNA sequencing. “It’s an emerging field that other security researchers haven’t looked at, so the intrigue was there,” says Kohno. “Could we compromise a computer system with DNA biomolecules?”
They could, but reassuringly, it wasn’t easy. To make their malware work, the team introduced a vulnerability into a program that’s commonly used to analyze DNA data files. They then exploited that weakness. That’s a bit of a cheat, but the team also showed that such vulnerabilities are common in software for analyzing DNA. The people who created these programs didn’t really have hacking in mind, and so their products tend to be insecure, and rarely follow best practices for digital security. With the right molecular malware, it could be possible for adversaries to compromise these programs and the computers that run them.
“I liked the creativity a lot, but their exploit is unrealistic,” says Yaniv Erlich, a geneticist at Columbia University and the New York Genome Center. (Earlier this year, Erlich encoded a computer virus in DNA, but he didn’t code it so that it would launch on its own when the DNA was sequenced.) In practice, the team’s malware would create a glitch that most sequencing centers would spot and fix. An adversary could only assume control of a compromised computer if they had impeccable timing, and struck immediately after the strands were sequenced.
Still, Erlich agrees that programs for analyzing DNA have “relatively relaxed security standards.” There are rumors, he says, that one big research institution was hit by ransomware, because they used the default admin passwords on their sequencing machines.
“My hope is that over the next 5 to 10 years, people take a strong interest in DNA security, and proactively harden their systems against adversarial threats,” says Kohno. “We don’t know of such threats arising yet and we hope that they’ll never manifest.”