Trojan Bio-Hacking Of Dna-Sequencing Pipeline

The article focuses on the information security risks that arise from the use of dubious software as part of a DNA-sequencing pipeline. We show how the perpetrator can use a biologically engineered sample that contains the remote machine's IP address and port number to trigger Trojan spyware previously dormant, and create a connection to the remote machine. The spyware is then used to either steal sensitive data processed by the pipeline (e.g. DNA-sample of crime suspect) or manipulate its control-flow (e.g. via opening a backdoor). To avoid detection the spyware can accept and expect required payload in fragments, which are also hidden inside the sample in a distributed manner. We show how the adversary can use cryptographic tools such as encryption and steganography to make such detection even harder while limiting the footprint that either identifies the attacker or makes the trigger-sample substantially different from its biological species. Therefore, we prove the viability of the attack and further stress the need to account for attacks being launched from the physical, rather than cyber-world. Furthermore, DNA sequencing error can hinder the successful delivery of a payload, hence the success of such attacks. We estimate the success rates for different sequencing error rates, where the calculated results are also verified with corresponding results from simulations.