Researchers identify critical flaws in Oxford Nanopore devices that could expose or alter genetic data without detection.
Portable genetic sequencers used around the world to sequence DNA have critical, previously unreported security vulnerabilities that could reveal or alter genetic information without detection, according to a new study published in Nature Communications.
The University of Florida research team discovered three security flaws in Oxford Nanopore Technologies’ MinION portable sequencer and its associated software. Oxford Nanopore produces nearly all portable genetic sequencers used worldwide.
Two of the vulnerabilities allow unauthorized users to access devices and potentially copy or alter DNA data without detection. A third flaw enables denial-of-service attacks that could halt sequencing operations and make devices appear broken.
“No one in the world had looked at the security of these devices, which shocked me,” says Christina Boucher, PhD, a professor of computer and information science and engineering at University of Florida and co-author of the study, in a release.
Patches Available but Legacy Risks Remain
Oxford Nanopore Technologies has released updated software to address the vulnerabilities after being alerted by the security researchers. The Cybersecurity and Infrastructure Security Agency verified the flaws in an Oct 21 report and provided instructions for users to update their sequencers.
However, devices running older software versions remain vulnerable to attack, particularly when connected to unsecured Wi-Fi networks or when remote control is activated.
The palm-sized sequencers cost a few thousand dollars and can operate anywhere in the world, making DNA sequencing more accessible than traditional laboratory-based methods. But this portability creates security risks because the devices must connect to computers to function.
“You are connecting a very specialized device to a general-purpose device like a laptop, which is intrinsically assumed to be secure,” says Sara Rampazzi, PhD, a professor of computer and information science and engineering at University of Florida and project lead. “Instead, that laptop could be connected to an unsecured network, or it could be infected with malware or ransomware, especially if used in the field outside controlled environments.”
Research Use Presents Privacy Concerns
While Oxford Nanopore markets these sequencers only for research use and not clinical diagnosis, the devices can sequence human DNA even in research applications.
The US National Institute of Standards and Technology recently began considering research use cases in its latest draft guidelines for genomic cybersecurity and privacy, highlighting increased attention on the topic and the lack of clear standards.
The interdisciplinary collaboration between cybersecurity and bioinformatics researchers enabled the discovery of these previously unknown vulnerabilities. Rampazzi studies security flaws in critical systems including medical devices and self-driving cars, while Boucher develops algorithms for DNA analysis.
“In bioinformatics, we haven’t been working as closely with the security community as I think we should be,” says Boucher.
Researchers say the study serves as a warning to the scientific community about emerging threats to genomic data and the need for “secure-by-design” systems as portable DNA sequencers become increasingly common in research and field applications.
ID 396440532 © Wave Break Media Ltd | Dreamstime.com
