Popular genetic-mapping software potentially exposed patients’ data

Analysts at Sandia National Laboratories discovered the flaw in the Burrows-Wheeler Aligner. A patch has been issued for the software.
DNA, genes, genetic, double helix, Burrows-Wheeler Aligner, CRISPR
(Getty Images)

Security researchers have helped fix a flaw in genetic-mapping software that could have allowed a hacker to manipulate the results of a person’s DNA analysis, showing the challenges of securing code in an industry that is crunching ever-larger sets of data.

The bug in the open-source Burrows-Wheeler Aligner (BWA) allowed genetic data to be sent over insecure channels, potentially exposing it to interception and manipulation. Genetic mapping involves replicating information from a person’s cells and comparing that to a standardized human genome, helping a doctor identify traits associated with a disease.

In practice, a doctor receiving erroneous data from the software could have prescribed the wrong medication to a patient, warned analysts from the government-funded Sandia National Laboratories, who discovered the vulnerability. BWA is one of the most widely used programs for genetic mapping.

A patch has been issued for the flaw. There is no evidence that the vulnerability has been exploited in the wild, researchers said.


Genomic analysis has grown exponentially in recent years, moving beyond academia to health care professionals and the businesses that support them, according to Corey Hudson, a bioinformatics researcher at Sandia. But the security of the software processing that data hasn’t yet caught up, he said. Algorithms meant for smaller tasks are now being deployed on a larger scale in commercial software, and they need to be examined for flaws and potential abuses, Hudson added.

“These are huge datasets. They’re highly personal,” he told CyberScoop. “There’s a lot of information that concerns not only your background but also how your genome relates to various medical treatments you may receive or your propensity toward a disease.”

Hudson and colleagues from the University of Illinois at Urbana-Champaign used a simulated computing environment at Sandia known as Emulytics to uncover the vulnerability. Two servers sent information to the Emulytics platform — one sent a standard genome sequence and the other intercepted it. The researchers used the platform to see how the attack changed the final genome sequence.

As Sandia researchers continue their work, Hudson said, “I think we’ll discover there are a lot more opportunities to engage the open-source community to develop better security practices.” In that vein, Hudson will elaborate on his research at the Biohacking Village at the DEF CON cybersecurity conference in August.

Latest Podcasts