Security flaws in portable genetic sequencers risk leaking private DNA data

Portable genetic sequencers used around the world to sequence DNA have critical, previously unreported security vulnerabilities that could reveal or alter genetic information without detection, according to a new study.

Researchers from the University of Florida have, for the first time, exposed these security risks in devices from Oxford Nanopore Technologies, which produces nearly all the portable genetic sequencers in the world.

Alerted by the security researchers, Oxford Nanopore Technologies has rolled out updated software to patch the vulnerabilities. But out-of-date software, or unsecured internet systems, could still leave some DNA sequencers vulnerable to attack.

“No one in the world had looked at the security of these devices, which shocked me,” said Christina Boucher, Ph.D., a professor of computer and information science and engineering at UF, expert in bioinformatics, and co-author of the new report.

Boucher collaborated with Sara Rampazzi, Ph.D., also a professor of computer and information science and engineering, cybersecurity expert and project lead at UF, and students in the department to test Nanopore sequencers for security flaws. The study serves as a warning to the scientific community that new threats to genomic data urge a shift toward “secure-by-design” systems as portable DNA sequencers become increasingly common. The team published their findings in Nature Communications.

The researchers uncovered three vulnerabilities in the Oxford Nanopore MinION portable sequencer and its associated software. Two of these flaws allow an unauthorized user to improperly access the device and potentially copy or alter the DNA data without the authorized user’s knowledge. A third flaw opens the sequencer to a denial-of-service attack, which would halt the sequencing operation and make the device appear broken.

The Cybersecurity and Infrastructure Security Agency, the federal government’s cyber defense coordinator, verified these vulnerabilities in a report released Oct. 21. The report also provides instructions from Oxford Nanopore Technologies on how users can update their sequencers to address the security flaws.

Versions with older software would remain open to attack. This is especially possible when the portable sequencers are connected to insecure Wi-Fi networks or remote control is activated.

Costing just a few thousand dollars and able to operate anywhere in the world, these palm-sized sequencers have transformed the previously cumbersome and expensive work of sequencing DNA. But that portability contributes to the security risks of these devices because the sequencers must be connected to a computer to work.

“You are connecting a very specialized device to a general-purpose device like a laptop, which is intrinsically assumed to be secure,” said Rampazzi. “Instead, that laptop could be connected to an unsecured network, or it could be infected with malware or ransomware, especially if used in the field outside controlled environments.”

These nanopore sequencers are marketed only for research use and not to be used for clinical diagnosis. Yet even when restricted to research, these devices can be used to sequence the DNA of people.

The U.S. National Institute of Standards and Technology, which focuses on defining genomic cybersecurity and privacy guidelines, has only started to consider research use cases in distinction to clinical use in their latest draft guidelines, highlighting the increased attention on the topic and the lack of a clear standard.

Revealing these previously undiscovered vulnerabilities was only possible due to the interdisciplinary collaboration between the Rampazzi and Boucher labs. Boucher develops algorithms to better analyze DNA, while Rampazzi researches security flaws in critical systems ranging from medical devices, and self-driving cars to underwater data centers. Combining their expertise helped alert the community to a significant privacy threat.

“In bioinformatics, we haven’t been working as closely with the security community as I think we should be,” Boucher said.