Money, status, or even survival – there’s no shortage of incentives for faking results in the scientific community. What can we do to prevent it, or at least make it noticeable? One possible solution is cryptographic signing of measurement results.
Here’s a proof-of-concept from [Clement Heyd] and [Arbion Halili]. They took a ThermoFisher Scientific 7500 Fast PCR (Polymerase Chain Reaction) machine, isolated its daughter-software, and confined it into a pipeline that automatically signs each result with help of a HSM (Hardware Security Module).
A many machines do, this one has to be paired to a PC, running bespoke software. This one’s running Windows XP, at least! The software got shoved into a heavily isolated virtual machine running XP, protected by TEE (Trusted Execution Environment). The software’s output is now piped into a data diode virtual serial port out of the VM, immediately signed with the HSM, and signed data is accessible through a read-only interface. Want to verify the results’ authenticity? Check them against the system’s public key, and you’re golden – in theory.
This design is just a part of the puzzle, given a typical chain of custody for samples in medical research, but it’s a solid start – and it happens to help make the Windows XP setup more resilient, too.
Wondering what PCR testing is good for? Tons of things all over the medical field, for instance, we’ve talked about PCR in a fair bit of detail in this article about COVID-19 testing. We’ve also covered a number of hacker-built PCR and PCR-enabling machines, from deceivingly simple to reasonably complex!
Great project. There are a lot of ways to fix this in modern instrumentation without all the work arounds. It’s definitely best done at the manufacturer level and I applaud them for what they’ve done despite having that level of direct access. True hacker stuff. For slow run instruments like PCR it makes sense, for high throughput high volume instruments there could be issues with this sort of thing. Love the premise and theres been a lot of advances in this sort of thing over the years. In some cases they are even putting the key/tag into the physical samples themselves! For PCR thats a no-go.
I am not sure what signing achieves in disease screening, when you can input any sample if manipulation of the results is your goal. In my country we do ring testing by sending copies of the same sample to different laboratories. Manipulation needs to be detected already at the time the specimen is taken and bagged (sealed). If the problem is in academia, maybe have 2 universities study the same disease on the same people independently.
Really great idea. In an ideal
Future journals and conferences would require data to be collected on instruments like this. Not just PCT obviously but any instrumentation. the same way they require statements about conflict of interest etc. also there would be a huge segment of science this just can’t work for and there is an merriment that cheaters gonna cheat no matter what but it would be a start. I love it.
*PCR.
*argument
Ugh. Autocorrect ruining correct words to incorrect ones.