Popular genetic-mapping software potentially exposed patients’ data

Analysts at Sandia National Laboratories discovered the flaw in the Burrows-Wheeler Aligner. A patch has been issued for the software.
DNA, genes, genetic, double helix, Burrows-Wheeler Aligner, CRISPR
(Getty Images)

Security researchers have helped fix a flaw in genetic-mapping software that could have allowed a hacker to manipulate the results of a person’s DNA analysis, showing the challenges of securing code in an industry that is crunching ever-larger sets of data.

The bug in the open-source Burrows-Wheeler Aligner (BWA) allowed genetic data to be sent over insecure channels, potentially exposing it to interception and manipulation. Genetic mapping involves replicating information from a person’s cells and comparing that to a standardized human genome, helping a doctor identify traits associated with a disease.

In practice, a doctor receiving erroneous data from the software could have prescribed the wrong medication to a patient, warned analysts from the government-funded Sandia National Laboratories, who discovered the vulnerability. BWA is one of the most widely used programs for genetic mapping.

A patch has been issued for the flaw. There is no evidence that the vulnerability has been exploited in the wild, researchers said.


Genomic analysis has grown exponentially in recent years, moving beyond academia to health care professionals and the businesses that support them, according to Corey Hudson, a bioinformatics researcher at Sandia. But the security of the software processing that data hasn’t yet caught up, he said. Algorithms meant for smaller tasks are now being deployed on a larger scale in commercial software, and they need to be examined for flaws and potential abuses, Hudson added.

“These are huge datasets. They’re highly personal,” he told CyberScoop. “There’s a lot of information that concerns not only your background but also how your genome relates to various medical treatments you may receive or your propensity toward a disease.”

Hudson and colleagues from the University of Illinois at Urbana-Champaign used a simulated computing environment at Sandia known as Emulytics to uncover the vulnerability. Two servers sent information to the Emulytics platform — one sent a standard genome sequence and the other intercepted it. The researchers used the platform to see how the attack changed the final genome sequence.

As Sandia researchers continue their work, Hudson said, “I think we’ll discover there are a lot more opportunities to engage the open-source community to develop better security practices.” In that vein, Hudson will elaborate on his research at the Biohacking Village at the DEF CON cybersecurity conference in August.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts