Stealing DNA By Phone

Data exfiltration via side channel attacks can be a fascinating topic. It is easy to forget that there are so many different ways that electronic devices affect the physical world other than their intended purpose. And creative security researchers like to play around with these side-effects for ‘fun and profit’.

Engineers at the University of California have devised a way to analyse exactly what a DNA synthesizer is doing by recording the sound that the machine makes with a relatively low-budget microphone, such as the one on a smart phone. The recorded sound is then processed using algorithms trained to discern the different noises that a particular machine makes and translates the audio into the combination of DNA building blocks the synthesizer is generating.

Although they focused on a particular brand of DNA Synthesizers, in which the acoustics allowed them to spy on the building process, others might be vulnerable also.

In the case of the DNA synthesizer, acoustics revealed everything. Noises made by the machine differed depending on which DNA building block—the nucleotides Adenine (A), Guanine (G), Cytosine (C), or Thymine (T)—it was synthesizing. That made it easy for algorithms trained on that machine’s sound signatures to identify which nucleotides were being printed and in what order.

Acoustic snooping is not something new, several interesting techniques have been shown in the past that raise, arguably, more serious security concerns. Back in 2004, a neural network was used to analyse the sound produced by computer keyboards and keypads used on telephones and automated teller machines (ATMs) to recognize the keys being pressed.

You don’t have to rush and sound proof your DIY DNA Synthesizer room just yet as there are probably more practical ways to steal the genome of your alien-cat hybrid, but for multi-million dollar biotech companies with a equally well funded adversaries and a healthy paranoia about industrial espionage, this is an ear-opener.

We written about other data exfiltration methods and side channels and this one, realistic scenario or not, it’s another cool audio snooping proof of concept.

8 thoughts on “Stealing DNA By Phone

  1. My main takeaway from this article isn’t the scary reality of side channel attacks, that a simple microphone can extract far more information then one might expect at a first glance isn’t that surprising when one actually starts to listen to different machines.

    Though, that gene sequencing machines are such run of the mill things that we find them at both universities and in industry already is more interesting. Just 5-10 years ago this were complete science fiction after all….

    After all, there isn’t even a Wikipedia article about DNA synthesizer yet.

    1. IIRC, during the 1990’s the CIA warned employees about typing passwords while they were on the phone, as each keyclick on a keyboard has a distinctive sound based on its location on the PCB and inside the plastic shell.

  2. Mossad invented a method to output passwords chars via variation in cooler RPM for a laser-microphone pointing to a window to intercept the noise. The same using hdd led or keyboard leds + a hidden camera. The transfer rate is slow but enough for capturing many interesting passwords in one night.

  3. This would be an exceptionally hard to pull off. Many synthesizer runs have setup QC and method-specific cleaning operations (especially if they are in a regulated environment). While it may be true to determine which solution bottle is being dispensed, many synthesizers are moving towards microfluidics tech meaning this hack will have limited reach for lab-scale applications in the near future. Might have a bigger impact on oligo drug development as they will still use mid-size synthesizers like GE Healthcare’s (now Danaher’s) AKTA oligo pilot system which should in theory still be vulnerable to this attack. These mid-sized units are mostly used for R&D and scale-up ops, and by the time the putative drug is in these labs, the oligo formula has likely already been published. All in all, a very interesting hack for folks in my industry to consider. Nice article!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.