Study: AI detects backdoor-unlocking DNA samples

The 4D chess equivalent of a supply-chain attack

How's this for a security threat? A backdoor hidden in lab software that is activated when fed a specially crafted digital DNA sample.

Typically, this backdoor would be introduced in a supply-chain attack, as we saw with the compromised SolarWinds monitoring tools. When the lab analysis software processes a digital sample of genetic material with the trigger encoded, the backdoor in the application activates: the trigger could include an IP address and network port to covertly connect to, or other instructions to carry out, allowing spies to snoop on and interfere with the DNA processing pipeline.

It could be used to infiltrate national health institutions, research organizations, and healthcare companies, because few have recognized the potential of biological matter as the carrier or trigger of malware. Just as you can use DNA in living bacteria to hold information, this storage can be weaponized against applications processing that data.

When you look at a typical sequencing process, the DNA strands go into a sequencer, which creates a digital file that the computer connected to the sequencer analyzes. As you can imagine, this is how you can introduce malicious but otherwise valid, sanitized data into a lab, via a sample sent in to process.

The University of Nebraska's Sasitharan Balasubramaniam, one of the leads behind a recent exploration of these vulnerabilities and what it means for the emerging field of bio-cybersecurity, has detailed this threat – and also ways it can be enhanced, and caught in time.

This isn't science fiction

Back in 2017, in one of the rare biosecurity research works focused on DNA sequencing, researchers at the University of Washington synthesized DNA so that when converted into a digital file and fed into an application, a security flaw was exploited to open a backdoor network connection. That research relied on a vulnerability being present in the code, either accidentally or deliberately introduced.

The new effort builds on that, and involves trojan-horse software, and a small and simple trigger in the DNA. "What's significant here in our work is that we looked at all the ways to hide this in the DNA and all the most efficient ways to do this so the code couldn't be found," Balasubramaniam explained.

"There's a concept in DNA research called steganography, which is used frequently in DNA coding. Using that we could hide this small bit of code very efficiently."

The good news is that using a deep-learning technique his team developed, it is possible to spot sneaky DNA manipulation. More on that is explained in the team's paper.

It's important to note the threat goes far beyond healthcare companies or national health services. At stake is not just the possibility of human patient data being manipulated once systems are compromised. Think of a large agricultural research company with massive volumes of genetic research.

"What we're saying here is that the impact is big: we need a rethink of how systems are secure, not only from the handling and storage of this data but how the data is sequenced and processed," Balasubramaniam said

He and team are not aware of this rethink happening in real organizations yet but the risk is pressing and requires new emphasis on biocybersecurity research. When The Register asked if sequencing companies were aware of this threat, Balasubramaniam said definitely not.

"We want to create awareness so that these companies aren't just thinking about anti-malware from a cyber-infrastructure standpoint, but from a bio-infrastructure one as well." ®

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022