Scientists Create DNA-Based Exploit of a Computer System

Archeron writes: It seems that scientists at University of Washington in Seattle have managed to encode malware into genomic data, allowing them to gain full access to a computer being used to analyze the data. While this may be a highly contrived attack scenario, it does ask the question whether we pay sufficient attention to data-driven exploits, especially where the data is instrument-derived. What other systems could be vulnerable to a tampered raw data source? Perhaps audio and RF analysis systems? MIT Technology Review reports: "To carry out the hack, researchers led by Tadayoshi Kohno and Luis Ceze encoded malicious software in a short stretch of DNA they purchased online. They then used it to gain 'full control' over a computer that tried to process the genetic data after it was read by a DNA sequencing machine. The researchers warn that hackers could one day use faked blood or spit samples to gain access to university computers, steal information from police forensics labs, or infect genome files shared by scientists. To make the malware, the team translated a simple computer command into a short stretch of 176 DNA letters, denoted as A, G, C, and T. After ordering copies of the DNA from a vendor for $89, they fed the strands to a sequencing machine, which read off the gene letters, storing them as binary digits, 0s and 1s. Yaniv Erlich, a geneticist and programmer who is chief scientific officer of MyHertige.com, a genealogy website, says the attack took advantage of a spill-over effect, when data that exceeds a storage buffer can be interpreted as a computer command. In this case, the command contacted a server controlled by Kohno's team, from which they took control of a computer in their lab they were using to analyze the DNA file." You can read their paper here.

Buffer overflow

[srg33]

Sloppy programming

Re:

[Anonymous Coward]

OMG C and C++ the horror, THE HORROR!

"We analyzed open-source bioinformatics tools that are commonly used by researchers to analyze DNA data. Many of these are written in languages like C and C++ that are known to contain security vulnerabilities unless programs are carefully written. In this case the programs did not follow computer security best practices. For example, most had little input sanitization and used insecure functions. Others had static buffers that could overflow. The lack of input sanitizat

Re:Buffer overflow

[infolation]

Did you really name your son

Robert'); DROP TABLE ForensicSamples;

Oh, yes. Little Bobby Tables, we call him.

Re:

[gringer]

Furthermore, it's a deliberately introduced bug

Re:

[Kjella]

Furthermore, it's a deliberately introduced bug

Yeah, as long as you intentionally fuck up the "get data" function you can make any kind of sensor or input device malicious. The samples are often a static size though so it's like:

byte[sample_size] buffer;
memcpy( dev, buffer, sizeof(buffer));

Sure you could fuck that up if you wanted to... but it's rather contrived. Now, string handling the C way... kill it with fire.

Same shit, different decade.

[Anonymous Coward]

"the attack took advantage of a spill-over effect, when data that exceeds a storage buffer can be interpreted as a computer command."

It took you an entire sentence to describe a buffer overflow.

Talk about hype for bullshit's sake. Fix the fucking obvious.

Re:Why?

[rogoshen1]

Those are called mutations; even god (lower case 'g'..) is guilty of sloppy practices -- using eval.

Re:Why?

[Cacadril]

That's how buffer overflows are exploited, provided the buffer resides in the stack frame of a subroutine. The analysis program is buggy, and overflows the buffer with data to be analysed, Next, the buggy subroutine finishes and returns to the caller. But the return address has been overwritten too. If the data written over the return address has been carefully chosen to point to data in the overwritten area, the program will begin executing information contained in the DNA.

Re:

[fredrated]

Wow! I want to buy those cloths!

At the interrogation room

[edx93]

Police: "So, why did you hack the computer?"

Guy: "I'm sorry sir, I can't help it. It's in my DNA"

Let it RUST

[al0ha]

Yet another reason why device manufacturers, not to mention everyone else, should move to RUST sooner rather than later.

Re:

[Z80a]

Or use some decent memory allocation library.

Wow ... Pwning with DNA

[ClickOnThis]

This is a very cool hack.

'course, there's an emacs command to do that. [xkcd.com]

Lighten up folks!

[RhettLivingston]

Take a chill pill and recognize an opportunity for a joke fest when you see it! Few postings provide material this good!

Let the jokes fly and moderators BREAK THE GLASS OVER YOUR FUNNY BUTTONS!

Saw it on TV already.

[Videospike]

It was on an episode of Bones, when they were facing off against uber-hacker Kevin Poulant. He etched a micro-pattern into some bones, and when they were topographically scanned the malware embedded in the etching granted him access to the lab's computers. Exactly the type of exploit envisioned here. And since there's nothing original on TV, this is probably not the first time it's been done.

ahhh the famous DNA injection!

[Andre Dias]

Patch the code to: $stmt = $db->prepare('SELECT * FROM employees WHERE DNA = :dna'); $stmt->execute(array('dna' => $input));

Idiots! DNA-based != DNA-encoded

[aglider]

Oh my! Could it be more click bait?

Come on! How can a DNA-BASED exploit crack my PC? By spitting on the keyboard or coughing at the screen!

Come on!

Just a PR Stunt

[Hian Bosu]

This is really nothing more than a PR stunt. What the researchers did was take a sequencing data compression program fqzcomp [sourceforge.net] written for the Sequence Squeeze [pistoiaalliance.org] competition and deliberately broke it so there was a buffer overrun. What's more is that they broke it in such a way that all DNA sequences would have made the program go wrong in some way, probably by crashing it.

All they demonstrated is that if you break a program then it is broken.

All DNA sequencing machines produce well formed data files as output so you cannot cause a buffer overrun just by adding your own special DNA variant sample. It would just be treated like any normal sample data. There are vulnerabilities in sequencing data processing program code but to exploit them you would have to alter the file themselves not the DNA samples going into the machine.

No...you can read the paper here:

[TheOuterLinux]

http://dnasec.cs.washington.ed... [washington.edu].

Nothing new

[jasonma84]

A buffer overflow exploit is nothing new. The data being DNA in this case is a mute point since input can be derived from any media.