Researchers at Sandia Labs uncovered a weakness in the open source genomic analysis software know as Burrows-Wheeler Aligner (BWA). In bioinformatics we use this software to map low-divergent sequences against a large reference genome, doing this improves efficiency and accuracy.
The vulnerability found in the BWA software left the opportunity open for a “man-in-the-middle” attack. In this type of attack both of the users who have access to the service believe they are directly communicating with each other. However, the attacker is intercepting and altering or injecting messages during the communication. Fortunately, this time, no attack happened. This vulnerability could have been very costly, if an attack had happened, considering an attacker could have potentially altered a person’s genetic information from sequencing and rendered the final analysis completely incorrect. The reason this is so horrifying is because when we are dealing with genomic sequencing and mapping it could be for the purpose of determining medical treatment. Of course there is also the concern of having your genetic data stolen which I’ve covered in other blogs.
Note: The labs who use this software (who were temporarily vulnerable) were actually companies who do genomic sequencing and labs who do forensic testing..Companies who do the direct-to-consumer genetics tests were NOT at risk because they use a completely different method.
After Sandia Labs discovered the weakness they notified the software developers who issued a patch to fix the problem. I’d like to thank Corey Hudson (a Bioinformatics researcher) and the rest of his team at Sandia who not only helped discover this issue but continue to do very important security testing of genomic software. For more details about this vulnerability from the NIST click here.