Huge DNA Database Just Waiting for Big Ol' Hack
It's the one police used to catch the Golden State Killer.
- Researchers have breached a crowdsourced DNA database by reverse engineering a user profile.
- DNA testing and database sites are vulnerable to many kinds of attacks and data sales.
- Users must ask themselves if the potential benefits of DNA testing outweigh privacy concerns.
Genealogy and security are clashing yet again, this time over the massively crowdsourced DNA database GEDmatch. MIT Technology Review reports that computer science researchers designed targeted attacks that breached the GEDmatch database by making complex search strings that let them guess much of users’ DNA.
The founder of GEDmatch, Curtis Rogers, told Tech Review he’s not that surprised, because genealogy has always involved sharing information and comparing it directly to others to find commonality. This has been exploited in the past by social engineering, the low-tech but effective form of hacking that involves searching for written-down passwords, asking personal questions to glean security clues, and more.
We’re all asked for our mother’s maiden name, which is an anachronism in a hundred ways in 2019, least of all that it’s very easily findable on any genealogy site. Even sites that attempt to use other information still ask for family names and relationships, probably because users who don’t understand the importance of a secure password also won’t spend time or energy to make secure passwords, let alone remember them without an accessible hint.
Now, services like Ancestry or 23andMe bank users’ genome data, and amassing more and more sample data lets their results grow more specific and accurate by reducing the margin of error. But these services are also likely selling your genome to drug companies or even insurers. It seems like there’s a paradox in information security where users are so sure their identity will be stolen or their data will be sold that they choose not to worry about it or attempt to prevent it.
Enter GEDmatch, a user-sourced database designed to help match people with unknown relatives. Because of the openness and accessibility of the project, it’s available to law enforcement as well. (Last year, California police revealed they used GEDmatch to finally ID the notorious Golden State Killer.) Without your express permission, law enforcement can only obtain your DNA if you’re arrested for a related crime. But departments are beginning to collect samples from entire communities as a way to, purportedly, exclude the innocent.
With that in mind, it’s easy to see why the vulnerability that researchers found in GEDmatch is so troubling. They put together a DNA profile and uploaded it to the site, which in turn unlocked the ability to search for close matches. GEDmatch is run by volunteers who have, apparently, done too good a job building their user interface and search capability; this specific kind of attack only works on their system, not those of commercial sites like Ancestry or 23andMe.
Experts told Tech Review that one of the big ways an open database could be exploited is that strangers could claim to be relatives in order to gain an advantage. Think of the classic “Nigerian prince” scam, but with an even more tempting sheen of science credulity based on shared DNA. The reason commercial testing sites aren’t vulnerable is that they don’t let users share their own data. If someone sought to defraud 23andMe in the same way, they’d have to do something like take a sample from another person and submit it as their own.
If GEDmatch is like a bank of data, right now the bank doesn’t even have a security guard snoozing by the front door. Years ago, internet users at corporations or universities would share corporate credit card information or FedEx account numbers on public websites they just assumed strangers would have no reason to look at, and this mismatch of audience and intention is nothing new. Hopefully, other services can learn from this hack and better secure their information.
Comments
Post a Comment