I saw this in the blogosphere the other day and I wasn’t planning on commenting . But then I saw it also in the trade press… and then I saw it getting more coverage… and then I saw it in some more blogs and more press… and then Ars Technica covered it… and then Schneier covered it. Apparently, it’s a thing – DNA as a “malware vector”.
The original research paper is here if you want to go read about it, but the short story is that some researchers inserted malware into DNA. They demonstrated that they could take DNA, manipulate it in such a way that software used to analyze it (that they modified specifically for this purpose) could be attacked when processing the DNA. The Ars story is probably the best balance between being concise but still rounding out the pertinent details.
Now… I say this carefully because I get it that people are interested in this (I don’t want to be the wet blanket)… And also, because it’s a cool thing they did over there. But is it me or does anybody else question why this is getting the “full monte” media treatment in the security press? I mean, I get it that it’s interesting about encoding malware in the DNA — but isn’t it more interesting “because DNA” than it is from a security point of view specifically? Again — the research is interesting , I’m super glad they did it, and it’s the you-dub, so you know it’s high quality. But what specifically about this makes it security news?
Here’s what I mean. This thing is conceptually analogous to me hiring a skywriter to write a bash fork bomb (e.g. “:(){ :|: & };:”) in the sky — or, for that matter, to drag a banner sign behind a cropduster that says “rm -rf /”. Were I to do that, am I demonstrating a cool new attack vector? Of course not, right? Yes, it’s “malicious”, but who cares?
Now how about if I write an app that takes pictures of the sky, does optical character recognition on stuff it might happen to find written there, and runs it on some UNIX host as root? What if the “some UNIX host” is an MRI machine? None of that stuff is interesting from a security point of view, right? To which, I could say “Hey. But I just totally just haxored an MRI machine using the sky… just the sky, man! Because the sky was vulnerable, man.” To which, you’d say, “but you created that whole convoluted chain of events just so you could create that effect.” And I’d say, “Yeah. You’re right. I did do that.”
Isn’t this the same thing? Here, they’ve created an attack vector and then embedded an exploit to that vector in a (super creative) transmission medium. Then, they allowed the process to transpire. Yes, the medium is creative – because DNA. But really, that’s the interesting part. The rest seems like cause and effect. The DNA part? Interesting. The malware part? Performs as expected.