back to article Study: AI detects backdoor-unlocking DNA samples

How's this for a security threat? A backdoor hidden in lab software that is activated when fed a specially crafted digital DNA sample. Typically, this backdoor would be introduced in a supply-chain attack, as we saw with the compromised SolarWinds monitoring tools. When the lab analysis software processes a digital sample of …

  1. Anonymous Coward
    Boffin

    AI triggered backdoor

    The problem seems similar to ElReg's article of an hour ago. I wonder if the defense that study proposed would be applicable here?

    Techniques to fool AI with hidden triggers are outpacing defenses – study

    https://www.theregister.com/2022/02/25/dnn-trojan-attacks/

    1. diodesign (Written by Reg staff) Silver badge

      Re: AI triggered backdoor

      Ah yeah, they are closely related.

      The DNA issue is encoding hidden messages in perfectly valid data, and having an AI spot that; and the trigger detection is identifying when a model is seemingly deliberately misbehaving on special inputs.

      One involves undoing steganography in input data, and the other sensing that a model has a secret trigger.

      C.

  2. Paul Crawford Silver badge

    Ah, little Bobby Tables has the last laugh, again.

    1. Dr Paul Taylor

      Bobby Tables

      Exactly, and it's frankly irresponsible of El Reg and the authors of this work to present this in this fashion, because when The Great Unwashed get hold of the story they will not apply the reasoning that Commentards can.

      Its difficult enough already to get IT-illiterate bureaucrats to accept information from plain HTML webpages used in the way that Tim Berners-Lee intended; they demand it "as an email attachment", which is of course less secure.

      I don't know anything about Stuxnet, but presumably it was programmed to recognise the characteristics ("hostname") of the Iranian equipment. The malware was in the code that did that recognition (and of course the security holes in the equipment), not in the "hostname" itself.

      OK Bobby Tables shouldn't have had punctuation in his name, but we have no idea what stray "punctuation" there might be in DNA.

      It does make me wonder, though, whether we might have a sample of Putin's DNA and could manufacture a drug (using the technology that gave us Covid vaccines) that would target him specifically.

      1. Korev Silver badge
        Joke

        Re: Bobby Tables

        OK Bobby Tables shouldn't have had punctuation in his name, but we have no idea what stray "punctuation" there might be in DNA.

        Bobby Table\'s perhaps?

      2. Antron Argaiv Silver badge
        Devil

        Re: Bobby Tables

        Bobby Tables, I'm not worried about. The BOFH, on the other hand...

    2. claimed

      100%

      Came here to say the same. Fucking snake-oil wanker selling nothing to people who think they're at the forefront of technology because they deal with DNA.

      El Reg, you should have slammed these pricks not stroked their ego, shame on you

      1. John Brown (no body) Silver badge

        Yeah, it all seems a bit overhyped for something that is purely theoretical at the moment. Based on my possibly misunderstanding of the article contents, the software or firmware of the equipment must be already compromised before the "trigger" can be sent to activate to backdoor. Assuming I've understood correctly, this means it's not so much a case of using AI to check the data coming in, but using traditional malware detection to make sure the firmware/software isn't compromised in the first place.

        1. diodesign (Written by Reg staff) Silver badge

          Hype

          FWIW there is no commercial project linked to this or anything like that, from what I can tell, so there's no snake oil to sell here.

          It's an interesting attack vector that we thought we'd write about. We'll stay away from more theoretical attacks in future.

          C.

  3. Korev Silver badge
    Boffin

    Our definition of Bio-Cyber Hacking refers to an attack that is hybrid between ICT systems and biological mediums. From the ICT system side, we assume that the pipeline of the sequencing service uses a DNA-analysis toolbox infected with Trojan Software.

    If the lab already is already infected with a trojan then surely the damage has already been done without the need for the DNA-based attack?

    The only way I can see this being useful is if there is some standard aligners / other sequence analysis software in use with vulnerabilities which could then be exploited.

    1. diodesign (Written by Reg staff) Silver badge

      'If the lab already is already infected with a trojan'

      I guess the point of this is that - a la SolarWinds - you modify some popular software in a supply chain attack, and the code is deployed all over the world.

      In order to target specific labs, you get them to process a sample with an IP address and port in it so you know which lab you're breaking into.

      It's very theoretical, we thought it was interesting, and we think readers will understand the threat. We'll keep the feedback in mind for future.

      C.

  4. VladimirOrlovsky

    we already have computer system, that can't be 'infected'.

    Intel and others just didn't 'Think' that far, then they designed 286-386-486 CPU's

    but ... BIG secred for people like you ...

    If computer system designed to separate "code" and 'data'

    and "My code", "My data" and "External code/data" ...

    nothing will happen.

    I will Explain like you are 5th grader:

    Impossible to RE-Write CD if media physically can't be RE-Written.

    Impossible to RE-Write real paper book, if NO one can touch it.

    You can 'Read' but can't "Touch" ...

    Wellcome,

    You learn something !

    p.s.

    people usually know "How" do job right

    problem is .... $$$$$$$

    Money, Lots of Money !!

    We love Money !

    We love Money more then we love our Mothers ...

    and this is THE problem ...

    it is NOT technical problem ....

    Have a Nice Day.

    ~ VladimirJosephStephanOrlovsky

    1. nintendoeats Silver badge

      And if "external code" or "my code" includes an interpreter? For example, one that can accept requests from logging which include scripts to execute, execute those scripts using "my data" and send it back to an external device?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like