How hackers can trick unwitting scientists into producing dangerous genes

In a new letter to the editor extracted from the prestigious scientific journal Nature, a team of Israeli researchers asks a frankly wild question: Could a computer hack lead a scientist to be tricked into creating a piece of genetic code that is harmful – or potentially toxic – rather than useful?

The answer seems to be yes, albeit with some pretty heavy caveats. The “end-to-end cyber attack” described above requires some lackluster cybersecurity cuts from both sides of the genetic research supply chain: both academics who could order genetic materials online, and laboratories that could provide those materials back. While this type of attack has not yet been seen in nature, the research team behind the letter pointed out that it is not outside the realm of possibility, especially as more and more genetic research moves into the digital realm.

At the heart of this hypothetical hack is the software biologists use to “print” strands of DNA from scratch and then assemble them together, a process known as “DNA synthesis”. In the past few years, we’ve seen this synthesis software behind tons of groundbreaking biomedical research. In the mad rush to create a treatment for Covid-19, for example, a handful of major pharmaceutical companies have turned to using artificial DNA strands as one of the components of their experimental vaccines.

But software, even the software used to write strings of biological code, is still software, which means it can still be hacked. Futurists and scientists alike have been sounding that specific alarm for years. And in 2017, a team of researchers from the University of Washington even showed that it was possible to code the malware directly into one of these synthetic DNA strands, albeit with a lot of trial and error, and the malware only worked because it intentionally borked the software they intended to attack. (And, as Wired wrote, “the attack was only fully translated about 37% of the time.”)

Both that case and the case described in this new letter are theoretical. But as the Israeli researchers have stated, these cases are theoretical. But as the Israeli team states, “the threat is real”, especially since synthetic DNA is the basis of ever-greater biomedical research.

Here’s how the attack would go (theoretically): Let’s say you have a bioengineer who works at a university, who is working on a new vaccine that requires specific strings of synthetic DNA. Each of these strings is made up of four different chemical blocks – or “bases” in the language of biology – arranged in a specific sequence.

As the researchers point out, not all academic institutions have the best cybersecurity capabilities, meaning it’s entirely possible for a bad actor to hijack this engineer’s computer with some sort of malware. Since most of the purchase of these synthetic DNA strands takes place online, there is a possibility that the bad actor behind the initial hijacking could also hijack that gene capture software, replacing particular pieces of that required code.

Technically, synthetic DNA suppliers are required to check any required sequences against a huge federal database that lists particular “sequences of concern” that could be used to create, for example, a deadly chemical agent or potential biological weapon. But these guidelines are both pretty poorly applied, and easy enough to get around through the same kind of obfuscation loved by bad tech players. By confusing their claim in this way, the Israeli team was able to order a particularly toxic peptide from a major synthetic bio company, and that company’s screening software skipped the shady sequences entirely. The team even moved the order to the production line before contacting the company to cancel it.

Going back to our nameless bioengineer from earlier, it’s entirely possible that his hacked computer could be placed in an equally flawed order, only to pass with flying colors. If the resulting genetic sequence ends up in his hands – and he ends up injecting that sequence into a cell – he could end up producing something potentially harmful, rather than the piece of vaccine he (presumably) ordered.

The overall synthetic biology market is expected to exceed $ 19 billion over the next five years. Some of the companies in this industry have achieved huge valuations on their own.

Of course, the scenario described in the letter is less of an immediate threat and more of the sort of thing that should be a wake-up call for buyers and suppliers in the synthetic biology industry. But frankly, it’s a wake-up call that both could use.