Consumer DNA testing has never been more popular. Simply purchase a kit (e.g. 23andMe or AncestryDNA), swab your cheek or spit in a tube, and mail to get your results. As you seal the kit, you probably don’t ponder the security risks; you just want to know if great aunt Margaret is really a descendant of the House of Windsor.
Now imagine your genetic material is stolen and sold on the dark web. Uh oh. It’s a terrifying thought that could soon become a reality. Hackers are always looking to make a quick buck and DNA is another way to make a lot of money.
But unlike getting a new credit card after it’s been stolen, you can’t get new DNA. Your DNA is permanent, and now you have to worry about what those scammers are going to do with your stolen DNA.
The above is an excerpt from Richard Kahn's blog post from 5 years ago titled "Malware: The Dangers of DNA Hacking" 5 years ago. Could it be that what he calls a scary thought that could soon become a reality has already happened? As VulnSign, we now have conclusive evidence that more than 15 million DNA data can be hacked. And the companies involved are ignoring our warnings.
The types of security vulnerabilities we detected on both sites;As of September 2023, we have resolved to conduct independent investigations into vulnerabilities in websites hosting crucial data that has profound implications for humanity. We will dedicate one week each month to fostering a safer world and web environment for all. For our inaugural research, we have focused on companies offering at-home DNA testing services.
Main motivations for the research;As a result of our security research, we have uncovered serious security vulnerabilities in genetic information providers 23andMe and Gedmatch. These vulnerabilities carry the risk of allowing malicious actors unauthorised access to users' sensitive DNA data.
After discovering these vulnerabilities, we informed the relevant companies and emphasised the need for urgent solutions. Unfortunately, we have received no response regarding these critical vulnerabilities.
If a cybersecurity officer working at the FBI reaches out to us with the necessary legal permissions, we can report the critical vulnerabilities without expecting any benefit in return.
These discovered vulnerabilities could potentially lead to the following for more than 15 million person:
Recognizing the gravity of this issue, VulnSign has assumed the responsibility of raising public awareness. By informing the public, we aim to compel the implicated companies to address these vulnerabilities and to bolster the security for their users.
Users are also advised to:
There are thousands of stories similar to that of Dr. Rachel Southard. Some are moving, some are tragic. For instance, there are examples in the genetic tests done by 5 people from the same family with the same surname where it was revealed that a son had a different father. There are thousands of instances where a man unknowingly fathers another man's child! These vulnerabilities also carry the risks of such information being disclosed.
It's a crazy idea to get a DNA test done on platforms that contain so many risks. However, you can sleep easily by having your profile destroyed.
Let's also talk about money a bit.
GedMatch was sold to Verogen for $15 million in 2019. Verogen was sold for $150M earlier this year, and the value of the GedMatch database, which has nearly 2 million DNA kit profiles, was determined to be $60 million.
23andMe has received nearly $1B in investment to date. The company's first investor is Google.
MyHeritage was acquired by Francisco Partners for $650 million two years ago.
The largest in the sector, Ancestry, was acquired by Blackstone Group Inc. for $4.7 billion three years ago.
The first reason is to demand a ransom. DNA information is more expensive than any other information stack found in Big Data. If the pirates' demands are not met, they can share extremely sensitive data openly. A hospital in the state of Indiana, USA, had to pay $55,000 to pirates who stole a handful of patients' genetic information it had. Hackers who demand $55,000 for genetic data belonging to 1500 people, what do you think they would ask for 15 million data?
We have no doubt that primarily law enforcement and intelligence agencies, as well as dozens of different entities such as insurance companies and health companies, will be interested in this data.
Implement email confirmation for user accounts whose passwords are public. We estimate that the passwords of approximately 2 million of your users can be obtained from leaked databases. Assuming there are 2 kits on average per membership, the DNA data of 4 million users could easily become a target, even for lamers.
Immediately enforce email confirmation when members are downloading rawdata files. Ignoring this so far shows that you are unaware of the responsibility of the data you hold.
Understand the responsibility of the data you own. The same diligence required for the FDA is needed for cybersecurity.
Remember, there are elephants hunters bigger than elephants. Elephant hunters in the hack world don’t have low enough motivation to report vulnerabilities on hackerone or bug crowd. Elephant hunters determine the value of a vulnerability themselves. A finding that is not a vulnerability for you can be a very valuable vulnerability for an elephant hunter.
Every firewall has bypass techniques, some of which will never become public methods. Using CloudFlare very actively does not mean you are completely safe.
Receive red teaming services from the most expert individuals in the field. Identify and fix your vulnerabilities.
Close your website to access until the existing vulnerabilities are fixed. You are putting nearly 2 million people at risk while trying to please some law enforcement agencies.
Always get a cyber security service. If you have already received such a service, it is obviously inadequate.
The era of pure PHP ended 10 years ago. Use a SAST service. This can be a good start to detect existing vulnerabilities. In fact, instead of dabbling with this, use a framework and an ORM. Validate input, even when using ORM.
ModSecurity is more suitable for simpler sites. GedMatch is positioning itself very wrongly.
You are not properly storing the raw data coming from users. You keep it in temporary cache before converting it to binary after a certain time. We also have doubts about securing the converted data.
Links to a few of the hundreds of adverse developments published in the recent past that justify our research:
https://www.washingtonpost.com/world/interactive/2023/china-dna-sequencing-bgi-covid/
https://theintercept.com/2023/08/18/gedmatch-dna-police-forensic-genetic-genealogy/
https://d3.harvard.edu/platform-digit/submission/23andme-losing-at-digital-privacy/
The first video on this page belongs to the @Gizmodo channel on YouTube, and the second video belongs to MyHeritage.
The purpose of this research is to create awareness for all companies in this sector. Similar severity vulnerabilities may also exist in Ancestry, FTDNA, and others. This article will be updated on the day when 23andMe and GedMatch fix the current vulnerabilities.