Security flaw could allow hackers to trick lab scientists into making viruses

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Cyber-security researchers from Ben-Gurion University of the Negev recently discovered a computer attack that could allow hackers to remotely trick laboratory scientists into creating toxins and viruses.

The setup: Medical professionals use synthetic DNA for a variety of reasons, including the development of immunogens for creating vaccines. The Ben-Gurion researchers developed and tested an end-to-end attack that changes data on a bioengineer’s computer in order to replace short DNA sub-strings with malicious code.

If terrorists wanted to to spread a virus or toxin by hijacking a reputable lab or hiding it inside of a vaccine or other medical treatment, they’d traditionally need physical access to the laboratory or part of its supply chain. According to this paper published last week in Nature Biotechnology that’s no longer the case.

The researchers claim that a simple trojan horse and a bit of hidden code could turn medicine into malice and the engineers creating the tainted goods would be none the wiser:

A cyberattack intervening with synthetic DNA orders could lead to the synthesis of nucleic acids encoding parts of pathogenic organisms or harmful proteins and toxin … This threat is real. We conducted a proof of concept: an obfuscated DNA encoding a toxic peptide was not detected by software implementing the screening guidelines. The respective order was moved to production.

The researchers describe a scenario wherein a bad actor uses a Trojan horse to infect a researcher’s computer. When that researcher goes to order synthetic DNA, the malware obfuscates the order so that it looks legit to the security software the DNA shop uses to check it. In reality, the obfuscated DNA sub-strings are harmful.

The DNA shop fills the order (unknowingly sending the researcher the dangerous DNA) and the researcher’s security software fails to uncover the obfuscated sub-strings so the researcher remains clueless.

The researchers managed to use their technique to successfully bypass security for 16 out of the 50 orders they tried it on.

Credit: Nature

What this means: We’re in a dangerous inbetween…