DNA company vulnerabilities could expose biometric profiles of millions

Lax security of DNA databases could turn them into easy targets for hackers and a major risk to national security, writes MIT Technology Review. Crowdsourced genetic ancestry service GEDmatch has already been used by law enforcement in California to catch the Golden State Killer, as well as in other criminal investigations where the culprits were traced through their relatives.

This practice not only drew attention because investigators used the DNA profiles without people’s consent, but security researchers warn DNA information could be easily accessed by intelligence agencies from other countries for espionage purposes.

This type of service has grown in popularity in recent years, but the problem is some DNA profile companies, as is the case with GEDmatch, are run by volunteers. There are still pieces missing from their security systems which could enable third parties to gain access to genetic health information of millions of Americans, for example.

As explained by Peter Ney, a postdoctoral researcher in computer science at the University of Washington, DNA profile theft could be far worse in consequences than a traditional data breach because “(y)ou can replace your credit card number, but you can’t replace your genome.”

Together with two professors and DNA security researchers, Ney introduced a proof of concept attack that uses DNA information from GEDmatch to target specific profiles. The group was able to guess 90 percent of the DNA data of other users. The attack was designed specifically for GEDmatch and might not work on other databases. They informed the company in July, but Ney is concerned they might not have the tools to fix the vulnerability.

“The problem with GEDmatch is the browser is too good, and searches too deeply,” says Yaniv Erlich, Chief Scientist of MyHeritage. “If I were them, I would remove it, fix it, then put it back.”

“We certainly are concerned about privacy also, and it’s good that studies like this are done,” says the Founder of GEDmatch, Curtis Rogers. “But no matter what you do, there will always be some potential for privacy invasion when you are doing genealogy. Genealogy is a procedure in which you want to compare your information to other people’s.”

According to genomics researcher Razib Khan this information is common knowledge and does not come as a surprise. He believes an attempt to exfiltrate information from the database may have already taken place.

“My guess is that almost certainly it’s already been done,” he says. “Governments are collecting data on people. You never know what they can use it for.”

When asked if there was any evidence to confirm this, Khan said he was not aware of it.

GEDmatch’s founder did not comment on this concern.

Article Topics

access control  |  biometrics  |  cybersecurity  |  dna  |  genetic database