Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Privacy Software Science Hardware Technology

Scientists Create DNA-Based Exploit of a Computer System (technologyreview.com) 43

Archeron writes: It seems that scientists at University of Washington in Seattle have managed to encode malware into genomic data, allowing them to gain full access to a computer being used to analyze the data. While this may be a highly contrived attack scenario, it does ask the question whether we pay sufficient attention to data-driven exploits, especially where the data is instrument-derived. What other systems could be vulnerable to a tampered raw data source? Perhaps audio and RF analysis systems? MIT Technology Review reports: "To carry out the hack, researchers led by Tadayoshi Kohno and Luis Ceze encoded malicious software in a short stretch of DNA they purchased online. They then used it to gain 'full control' over a computer that tried to process the genetic data after it was read by a DNA sequencing machine. The researchers warn that hackers could one day use faked blood or spit samples to gain access to university computers, steal information from police forensics labs, or infect genome files shared by scientists. To make the malware, the team translated a simple computer command into a short stretch of 176 DNA letters, denoted as A, G, C, and T. After ordering copies of the DNA from a vendor for $89, they fed the strands to a sequencing machine, which read off the gene letters, storing them as binary digits, 0s and 1s. Yaniv Erlich, a geneticist and programmer who is chief scientific officer of MyHertige.com, a genealogy website, says the attack took advantage of a spill-over effect, when data that exceeds a storage buffer can be interpreted as a computer command. In this case, the command contacted a server controlled by Kohno's team, from which they took control of a computer in their lab they were using to analyze the DNA file." You can read their paper here.
This discussion has been archived. No new comments can be posted.

Scientists Create DNA-Based Exploit of a Computer System

Comments Filter:
  • Sloppy programming
    • by Anonymous Coward

      OMG C and C++ the horror, THE HORROR!

      "We analyzed open-source bioinformatics tools that are commonly used by researchers to analyze DNA data. Many of these are written in languages like C and C++ that are known to contain security vulnerabilities unless programs are carefully written. In this case the programs did not follow computer security best practices. For example, most had little input sanitization and used insecure functions. Others had static buffers that could overflow. The lack of input sanitizat

    • by gringer ( 252588 )

      Furthermore, it's a deliberately introduced bug

      • by Kjella ( 173770 )

        Furthermore, it's a deliberately introduced bug

        Yeah, as long as you intentionally fuck up the "get data" function you can make any kind of sensor or input device malicious. The samples are often a static size though so it's like:

        byte[sample_size] buffer;
        memcpy( dev, buffer, sizeof(buffer));

        Sure you could fuck that up if you wanted to... but it's rather contrived. Now, string handling the C way... kill it with fire.

  • by Anonymous Coward

    "the attack took advantage of a spill-over effect, when data that exceeds a storage buffer can be interpreted as a computer command."

    It took you an entire sentence to describe a buffer overflow.

    Talk about hype for bullshit's sake. Fix the fucking obvious.

  • by edx93 ( 4858619 ) on Thursday August 10, 2017 @06:29PM (#54986925)

    Police: "So, why did you hack the computer?"

    Guy: "I'm sorry sir, I can't help it. It's in my DNA"

  • Yet another reason why device manufacturers, not to mention everyone else, should move to RUST sooner rather than later.
  • by ClickOnThis ( 137803 ) on Thursday August 10, 2017 @06:52PM (#54987029) Journal

    This is a very cool hack.

    'course, there's an emacs command to do that. [xkcd.com]

  • Take a chill pill and recognize an opportunity for a joke fest when you see it! Few postings provide material this good!

    Let the jokes fly and moderators BREAK THE GLASS OVER YOUR FUNNY BUTTONS!

  • It was on an episode of Bones, when they were facing off against uber-hacker Kevin Poulant. He etched a micro-pattern into some bones, and when they were topographically scanned the malware embedded in the etching granted him access to the lab's computers. Exactly the type of exploit envisioned here. And since there's nothing original on TV, this is probably not the first time it's been done.
  • Patch the code to: $stmt = $db->prepare('SELECT * FROM employees WHERE DNA = :dna'); $stmt->execute(array('dna' => $input));
  • Oh my! Could it be more click bait?

    Come on! How can a DNA-BASED exploit crack my PC? By spitting on the keyboard or coughing at the screen!

    Come on!

  • Just a PR Stunt (Score:3, Interesting)

    by Hian Bosu ( 61229 ) on Friday August 11, 2017 @06:38AM (#54989725)
    This is really nothing more than a PR stunt. What the researchers did was take a sequencing data compression program fqzcomp [sourceforge.net] written for the Sequence Squeeze [pistoiaalliance.org] competition and deliberately broke it so there was a buffer overrun. What's more is that they broke it in such a way that all DNA sequences would have made the program go wrong in some way, probably by crashing it.

    All they demonstrated is that if you break a program then it is broken.

    All DNA sequencing machines produce well formed data files as output so you cannot cause a buffer overrun just by adding your own special DNA variant sample. It would just be treated like any normal sample data. There are vulnerabilities in sequencing data processing program code but to exploit them you would have to alter the file themselves not the DNA samples going into the machine.
  • A buffer overflow exploit is nothing new. The data being DNA in this case is a mute point since input can be derived from any media.

How long does it take a DEC field service engineer to change a lightbulb? It depends on how many bad ones he brought with him.

Working...