Scientists Create DNA-Based Exploit of a Computer System

Archeron writes: It seems that scientists at University of Washington in Seattle have managed to encode malware into genomic data, allowing them to gain full access to a computer being used to analyze the data. While this may be a highly contrived attack scenario, it does ask the question whether we pay sufficient attention to data-driven exploits, especially where the data is instrument-derived. What other systems could be vulnerable to a tampered raw data source? Perhaps audio and RF analysis systems? MIT Technology Review reports: "To carry out the hack, researchers led by Tadayoshi Kohno and Luis Ceze encoded malicious software in a short stretch of DNA they purchased online. They then used it to gain 'full control' over a computer that tried to process the genetic data after it was read by a DNA sequencing machine. The researchers warn that hackers could one day use faked blood or spit samples to gain access to university computers, steal information from police forensics labs, or infect genome files shared by scientists. To make the malware, the team translated a simple computer command into a short stretch of 176 DNA letters, denoted as A, G, C, and T. After ordering copies of the DNA from a vendor for $89, they fed the strands to a sequencing machine, which read off the gene letters, storing them as binary digits, 0s and 1s. Yaniv Erlich, a geneticist and programmer who is chief scientific officer of MyHertige.com, a genealogy website, says the attack took advantage of a spill-over effect, when data that exceeds a storage buffer can be interpreted as a computer command. In this case, the command contacted a server controlled by Kohno's team, from which they took control of a computer in their lab they were using to analyze the DNA file." You can read their paper here.

Saw it on TV already.

[Videospike]

It was on an episode of Bones, when they were facing off against uber-hacker Kevin Poulant. He etched a micro-pattern into some bones, and when they were topographically scanned the malware embedded in the etching granted him access to the lab's computers. Exactly the type of exploit envisioned here. And since there's nothing original on TV, this is probably not the first time it's been done.

Re:Why?

[Cacadril]

That's how buffer overflows are exploited, provided the buffer resides in the stack frame of a subroutine. The analysis program is buggy, and overflows the buffer with data to be analysed, Next, the buggy subroutine finishes and returns to the caller. But the return address has been overwritten too. If the data written over the return address has been carefully chosen to point to data in the overwritten area, the program will begin executing information contained in the DNA.