A vulnerability in a widely used, open source genomic analysis software allowed attackers to edit records of patient genetic sequences, leaving them at risk of being prescribed ineffective or toxic drugs.
Researchers at Sandia National Laboratories identified the weakness in genome matching program Burrows-Wheeler Aligner (BWA) and notified developers before revealing the weakness this week. A patch has been issued to address the vulnerability and fixed in the latest release.
The process of using a patient's genetic information to guide medical treatment involves sequencing genetic content from a patient's cells and comparing that sequence to a standardised human genome.
The researchers said they found a weak spot when the BWA program imported the standardised human genome from government servers. The standardised genome sequence travelled over insecure channels, which created the opportunity for a ‘man-in-the-middle’ attack.
This allowed malware to be sent with the standardised sequence that altered the patient’s genetic information obtained from sequencing.
“The malware could then change a patient's raw genetic data during genome mapping, making the final analysis incorrect without anyone knowing it,” the researchers said.
“Practically, this means doctors may prescribe a drug based on the genetic analysis that, had they had the correct information, they would have known would be ineffective or toxic to a patient,” they added.
As well as doctors, forensic labs and genome sequencing companies that use the mapping software were also temporarily vulnerable to having results maliciously altered, they said. Direct-to-consumer genetic tests were not affected, however, as they follow a different sequencing method.
“We exploited a classic buffer overflow vulnerability that can easily be resolved using more secure buffer allocation practices as performed elsewhere in BWA’s code,” said Corey Hudson, a bioinformatics researcher at Sandia who helped uncover the issue.
"Once we discovered that this attack could change a patient's genetic information, we followed responsible disclosure," he added.
US public agencies, including cyber security experts at the US Computer Emergency Readiness Team (CERT) were alerted and the National Institutes of Standards and Technology issued a note to software developers, genomics researchers and network administrators.
No attack from this vulnerability is currently known.
“Our primary recommendation to mitigate attacks targeting other genomics software or other areas of the pipeline is to separate the storage of data with its processing,” Hudson said. “We believe this separation of responsibilities should be a standard best practice implemented by all facilities performing genomics research and processing.”
Hudson and his team also encouraged security researchers who analyse open source software for weaknesses to look at genomics programs. The practice is common in industrial control systems and software used in critical infrastructure, Hudson said, but would be a new area for genomics security.
"Our goal is to make systems safer for people who use them by helping to develop best practices," he said.
The research continues with the testing of other genome mapping software for security weaknesses.