BSidesNcl 2021 The Metavirus: Co-opting DNA synthesis James Bore

um

right coming up now on the main stage is mr james ball who's going to make us realize we're all going to die is that about an accurate statement my friend

are you good to go you wind up oh no i'm not going to touch you there we go are you green so say something talk to me the list is sensitive okay without further ado ladies and gentlemen uh is your collector working happy yeah give me a sec well ladies and gentlemen without further ado please welcome james board [Applause] sorry i've just been stunned in silence by john mcafee there so thank you for that right metavirus co-opting dna synthesis i'm not talking here about genetic engineering except when i am so i just want to start with a quick word about models i am not a geneticist i'm not an expert in genetic synthesis during this talk i'm going to be using a

lot of models and analogies most models are useful summer models are sort of true these ones hopefully are sort of true and useful but just by their in mind someone who is an expert in this stuff will know better annoyingly i also discovered after choosing the title for the talk that the virus is a name for a family of viruses this has nothing whatsoever to do with them so please just ignore it the idea is that this is about malware being able to write biological viruses so the basics genetic editing talking about modern ways to do it we have i can get that to work uh crispr casnite that's the most recent way it's popular

it's cheap really cheap you can buy a kit for about 15 mail order next day delivery and it's an easy to use technology i use technology in a loose sense it's not electronic it doesn't involve devices it is edited proteins which can essentially copy and paste synthesized genes or other genes into a genetic sequence at a chosen point so it's a full editing kit for whichever genome you want it to be roughly speaking what happens is it's derived from a bacteria that bacteria lives along has a happy life gets infected by a virus finds a way to beat that virus uses these proteins to cut out a snippet of that viruses code store it in its own

genome as a library to recognize it in the future so that it can use the same defenses again those proteins can be extracted or synthesized and then used to do the same thing basically at will and this is the type of stuff where for a bit of money you could do it quite happily in your home now handy analogy it's exactly what classical antivirus programs did store a signature recognize it react to it contain deal with the threat now within the laboratory that is exactly what it is it's editing genes it's not completely error-free mutations creep in but it is the most cost effective the most accurate way that we have of doing genetic manipulation as of today

there are other methods they're more expensive i'm sure tomorrow there will be new ones coming up there's two out there called zfns and talons they're older ones not as popular because they take more effort cost more money and aren't as accurate so budget bow hacking here you are this is a crisper casino kit you can get it mail order they do do next day delivery so you can get that as well and you can have it ordered to your home it's got roughly enough in there for about five experiments edit your own five organisms this one's designed to allow genetic modification of e coli so you can splice genes into an e coli bacterium you can of course use the same

techniques to splice it into anything else and that's a non-dangerous variant of e coli not the one we need to be worried about in food i've just found the laser pointer instead here we go now gain and spot the difference here can anyone tell me the key difference between these two sets of code i'm hoping it's fairly obvious

good enough one's computer code one's genetic code the similarity is that they are both executable coded for all intents and purposes this is one of those models i mentioned earlier computer code we know it's executable it runs through a compiler runs through the computer carries out instructions does stuff genetic code is executable runs through the machinery of the cell gets executed builds proteins those proteins go off their demons their services they go off they do things they build a human body they build an eye they build a deadly virus but they are really both executable code and there's a key thing there for anyone who does reverse engineering you'll be aware that getting from pure

assembler to what the code is actually doing is a really tough challenge it's much easier when you're working at a higher level and you can read the code in c or python or whatever you want to if it's being compiled to that level it's much much harder to work out what it's doing shockingly the same applies to genetic code because looking at that i have no idea what that even codes for but geneticists are having the same problems in that they get sequences and the only way to really find out what they do is execute them in some way and then they might do different things in different circumstances so same as executable code on a computer

different os different processors might carry out different instructions might just not work might break the thing set fire to the hard drive could be anything same thing with genetic you put it in a different organism could have a completely different function it's really really hard to predict what he's going to do and the amount of code involved is surprising i'm actually going to ask for guesses who thinks there is at least a terabyte of data in human genetic code okay gigabyte

there is roughly 750 megabytes of data in human genetic code the compression is astounding you've got functions in there which are reused for multiple purposes when they're invoked different ways you basically have the worst hack job of code you could imagine with no comments using every trick to jog memory to reuse processes that you could imagine running in every cell in your body which is you know encouraging one day we'll figure it out i'm sure there's another problem which is again fundamental to genetic code if you're running something on a computer you might be running it as a user or you might be running it at kernel level might be running a system biology doesn't really do that

if it's in the genetic sequence it all runs with the same privileges you do not have permission levels built into sales if it's in it's trusted it will execute so when you get a virus what's happening is it is injecting its own genetic code into that machinery that is then executing it's usually creating more copies of the virus and often has nasty side effects it's why we use the term virus for computer viruses as well and why it's not always entirely accurate distinct from malware a virus requires a host process retroviruses in particular have persistence so a normal virus when it edits a cell when it hijacks a cell it will spew out loads of copies the

cell dies problem you get a cold you get ill you get covered something something nasty but it's not too bad a retrovirus makes a permanent change to the code of that cell which is persistent as it replicates so this is why genetic editing allows you to theoretically do things like change eye color deal with genetic defects all sorts of different things particularly if you catch it early before the cells replicate too much you can completely change an organism at a base level in a way that is persistent throughout that organism's life and through any descendants imagine if you could just say i'm going to pop over to dell take one of their master computers and inject my own

malware into it okay so given all that i think i've managed to just turn something off lovely

there we go is there a danger well we've got an audience all wearing masks so you know that there's a danger to viruses also how do i turn off the laser pointer before i accidentally blind someone fine i'll just aim it down once and try not to move my hand too much uh is there a danger of this

i'm gonna call that dead right well 2017 a group of researchers and this caused a bit of a storm at the time due to ethics considerations i can't imagine why that might be they published a research paper on synthesizing the horsepower virus horsepower is related to smallpox not a great thing same sort of data same sort of virus and the synthesized dna is about 100 to 300 kilobytes of data we're not talking huge stuff here they took that synthesized horsepower dna and edited it into a live synthetic cell so they essentially took an extinct virus and brought it back to life and it was potentially infectious what they really demonstrated was if you have a record of the code not even the

live organism of something like smallpox yes it's expensive to do it takes a bit of challenge at the moment but you can synthesize that edit it into an organism and you suddenly have infectious smallpox if you don't think this is a great idea i'd agree with you as i said there were some serious ethics concerns around it um it does sound like the next resident evil film starting up or planet of the eights genuinely think that's possible so but yeah they revived an extinct relative of smallpox this is not something you should do certainly not something you should do for an academic people they put forward the argument for the research that it would allow

extinct viruses to be studied to be prevented should they research issue here as people raised was if it was still extinct you wouldn't need to prevent it just leave it dead they were virologists so they knew exactly what they're doing research took about six months and came to a total cost of roughly a hundred thousand dollars amateurs in a university not looking to actually weaponize something now all of us here are interested in security i have this whole thing that security is holistic you cannot distinguish too much between cyber info bio physical anything else so biosecurity we all know about containment we know about segregation we know about keeping information keeping assets safe the last death from smallpox

can anyone give me a guess on when

no 1978 in birmingham where it was effectively extinct uh the last actual case live world case was in somalia in 1977 so a year later the last smallpox victim dies 40 year old woman called janet parker the infection vector was never really established but she was working in the building where samples were being studied not in the same lab but within the building the investigation didn't uncover any failings no one knows what happened it was believed that it may have got through the ventilation but that doesn't explain everything and this occurred in a lab environment where there were no failures found in containment there were no issues found with health and safety it was believed they were

doing everything fine and she was not even on the same floor as the sampler so this is the type of thing that errors in security can lead to if you're doing biosecurity we all know how easy aerosol to make in cyber the professor who headed the smallpox laboratory was one of less than a dozen authorised to study it by the who and a day after her death he committed suicide so it is a truly tragic story

moving on to something a bit lighter and more hopeful um gen script up there these are all companies that will make synthesized dna for you and post it out to you gen script their pricing starts out at 18 pence per base pair base pair is roughly a bit of information so you know kilobytes you're talking a few hundred dollars a few hundred quid and that's with a turnaround of a few weeks to get it delivered through the mail to your daughter many manufacturers of dna many of the people who do this apply a blacklist they apply a list of known harmful genetic sequences so if you try to order one of those and it's on that list they will not create

it for you many of them don't do that at all because it takes a lot of work there's a lot of false positives so they just say hang it we'll print anything even from those who do the amount of work it takes you have to get virologists in to properly understand when we've got a false positive or of course when we've got a true positive if you break up a sequence bear in mind we can edit it back together however we want in an organism so if you break up a sequence you can obfuscate the code and get that sample sent out to you in two samples stitch them together afterwards it's too inconvenient to stop someone

ordering the genetic sequence of a kilovas too expensive so effectively let's say you can do it um now the plus side is we've solved this problem sort of in cyber security we we're quite good at antivirus so maybe we've got something to teach them there there are people working to solve this but all of the stuff around it is voluntary it's entirely voluntary companies do not have to do it at all

right security back to security this is going to seem irrelevant for a bit for those of you who remember the days of fax machines you will almost certainly remember spam coming through the fax machine for the rest of you well maybe some more of you who remember printers before we went paperless you may remember privatizing spam coming through your printers people hijacking internet connected printers and advertising things this was an advert for a privatizing service so you can just order it and pay per thousand it's lovely anything internet connected is a potential attack surface we all know that and anything that's a potential attack surface will be used to generate profit or cause harm 3d printers

a few years ago brand new really expensive technology no one had them now you can pick one up in spare parts internet connected still quite popular print from metal print from sugar i do like the sugar printers pizza printers are out there by the way many hackspaces have built their own pizza printer i don't know why it's cheaper to order but it's fun i guess and of course you've also got printers that will print human flesh for grafting or for replacement so you can have human flesh grow printed onto a scaffold which can then be surgically reattached to someone and it will heal it replaces a body part there's the same sort of harm the same

sort of potential for spam in these as there is in any other printer there's also things like the 3d printed guns the open source ones that you can download from almost anywhere you want with five minutes of google work print at home and have a working might be a stretch but some sort of gun which conveniently leads me on to for anyone who doesn't know xkcd i highly recommend it it has actually happened 3d printers have been hijacked in order to print penises this should surprise absolutely no one 3d printers aren't too dangerous they're dangerous if someone deliberately tries to use them to create something malicious they're in the nuisance if someone starts printing winged

penises out of your 3d printer and you have to explain to the lab head what's going on you might be wondering what this has to do with the whole genetic sequencing dna synthesis piece but just before that i'm going to do a quick shout out to a guy called chris roberts who roughly a decade ago found a way to go into tractors a whole set of tractors and update their firmware to change the planting distance if they had pushed that update out it would have meant that every single automated tractor from that manufacturer planted its crops too close together to get a harvest given that this planting usually happens roughly around the same time and this sort of attack might have been

difficult to spot and farmers don't order more than they need to in terms of planting so they would only have the stocks they need you would have then completely destroyed the grain harvest with a malicious software update and that's not just in america that was anywhere these were used now this this is a lovely device i really want one of these so if anyone has some money to spare you can buy me one this is a desktop dna synthesizer i can take it and i can print whatever dna sequence i want to i need to get the right cartridges for it they're amino acid cartridges but you know they're fairly cheap about 800 for one of those

and i've got no safety list there even the limited checking that the companies who do that synthesis have doesn't really apply even if they stick it in the device somewhere that's a device i've got physical access to there is nothing that's going to stop me doing what i want to with it this costs 15 000 euros this particular one so you know a bit expensive a bit more than i can afford right now but 3d printers cost that just a few years ago it has network connectivity so you can connect it to the internet and print from the convenience of your own home at the lab or at the hospital because these things are used for

creating retroviral treatments so some hospitals have them one's at the cutting edge of this research now i don't really have a nice clean and here's the solution thing to end this on or a twist that makes it all funny we're just starting to recover from a pandemic which has no matter what you think of the number of deaths or anything else severely negatively impacted the world a few years ago we might have called this unimaginable except that it was predicted repeatedly we knew exactly that this could happen it has shown not only how ill-equipped we are as a world to deal with this sort of thing to deal with a novel infectious virus but it also comes at the moment

when the means to manufacture a virus is available to anyone with the right expertise and 15 000 euros or the right expertise and an internet connection which can get them into a hospital's one or a last one this sounds like sci-fi and i do genuinely hope it stays that way but i just want to give you an absolute nightmare scenario someone malicious spends time gets the expertise to create a custom tailored virus one targeting specific traits one targeting a specific area mix-imatosis was a genetically engineered virus so they get the expertise to do that they compromise a hospital's desktop synthesizer which is being used to print retroviral treatments the hospital carries out the procedure you now have

that new viral code dropped into someone in a hospital with possibly no one having any idea until it's too late so when i said i really have no stinger i don't i've got no clear ending to this i have just got pretty much dread i've researched this a while ago and everything i read into it just made me feel worse i don't even really have a call to action the technology is out there the people with the expertise to do something about it are trying to and it is completely inadequate we should all be familiar with that feeling and this is genuinely a potential problem people have synthesized a live infectious extinct virus they have done it

they have done it and published the research on it so it may not just be potential it may be proximate this may be close i am very open to any ideas about how to sort this sort of thing i don't mean to alarm and i'm not saying we're all going to die but i am saying it is a possibility now during this just to establish that i've got some idea what i was talking about i did actually do far more reading than i wanted to i had nightmares after this there's the sources available if you want to check any of them yourselves and i'd love to know if there are any questions or solutions solutions would

be great

all right so i work with an organization called orbit rri which is responsible research and innovation and one of the things that we do is look at these types of things including for example uh chemical printers where it might be able to print off ibuprofen or bond making material so do you think that for example although you might not have a call for action yet that that particular group should also start be looking at this type of stuff very much so there is a group out there as i said who are working on ways to solve this it would definitely be worth looking at this sort of stuff and getting in contact with them because their

specialty is in genetics so they understand it far better than i do and they're very easy to find cool thank you so uh your genetic uh sort of like synthesis machine for fifteen thousand dollars is then enough in there that uh well we have printers where somebody sends a printer uh a printer printer that stays in the spooler and you go to the printer and you use your uh like id card to actually be scanned and it says yes i've got one in my school up for you i would print it if it remains in there for more than 15 minutes it dumped just to make sure that it's going to the the right person it's not going to

yeah there is potentially yes these these printers currently take about 24 hours to finish a job so it's not a 15-minute job

those buffers are potentially vulnerable if someone can get access to them if someone can get access to the firmware on the printer or there are any vulnerabilities i've not been able to find anything at all and this is one of the worst bits about any security testing done on these devices nothing so if there's a vulnerability any safety measure like that could be compromised i would hope that they've built things into that to prevent it but my specialty is security by design and i know how poorly that's often done with things like simple mobile apps which are really really easy to do it for so i i do not trust that they have done this and i've had no assurances

otherwise cool thank you does anyone else have any more

but you need physical access to them that's the same applies to printers 3d printers light bulbs people put light bulbs on the network doorbells dog feeders cat feeders keys door access systems cars so yes the simplest solution is to say you know what you have to do physical access and we'll apply physical security i just don't think it's going to happen reliably cool uh

thank yep um when you spoke about the potential attack you sort of went quite quickly through obtain the knowledge the genetic knowledge required yes i've got a feeling that's not quite as easy as you no no it's it's not is that is that barrier to entry enough because the motivation behind an attack would be one of terrorism at like anarchy it's it's not there's no way of profiting from it i would imagine so is it that that is the barrier of entries high enough to reduce this as being kind of viable proposition possibly but i'm not going to say i'd rely on that because while we can't see a profit motive in destabilization terrorism the world as

we have it today shows that plenty of people do they see benefit to them in it if a country can build a nuclear weapon and a lot of them can they can get the expertise to do this it takes study it takes training it would take years of research and effort but all of the information is available there are people who theoretically could do this they could then work alongside cyber security unethical hackers in order to actually exploit that and apply that so there is a barrier to entry and it is a knowledge barrier i'm not entirely comfortable relying on that anybody else have any questions well i'm here cool yeah yeah thank you um so you know you said

there was some some work on going is that all technical or is there anyone doing anything like a policy level and training i'm i'm not aware of anything being done at a policy level uh and for those of you who made my think tank talk earlier this would be a place to apply that and build our own think tank but no i've not found anything at a policy level there is this effort by a group to do a better way of doing that checking that they've not got very far and it's got no legislative legislative backing anywhere in the world at the moment there are countries where this sort of research is illegal i don't see that makes much of a

difference cool thank you i went over there yeah hello sorry it's just not too much question but just to address that so typically in the third year over biology or biochemistry or biology degree you end up doing a lot of things that we were discussing on this so out of like a four year course where you have an integrated dissertation you can have people learning the skills in third year and then applying them actually in lab in the fourth year so a lot of undergraduates will have these skills just fyi thank you i feel so much better yeah thanks for terrifying us wow sure surely the risk is from optimization of whatever the thing is

rather than um creating something new like coded or whatever yeah then you've got the wuhan question of how that would have come about bringing back small pots would not be a challenge let's put it that way would be terrifying yes just throw it i'm thinking purely hypothetically here you know you can't in front of the money would be awaiting certainly forever like viral imprint just kind of put like you know something that would stop it being printed so that's the whole idea that printers have a device that recognizes you're trying to print money and prevents it the answer is yes you could do something like that you would need to somehow be able to recognize every potentially harmful

genetic sequence which could be every genetic sequence so the false positive rate would render the technology useless even if you solve that problem if i've got physical access to the device and can find out how you've applied that safeguard there are ways around it but it would be an obstacle the more obstacles the better i think you've sufficiently terrified everyone which is usually where our conversations go this is why i don't sleep anymore i've noticed uh anyone would require any more questions any final questions nope cool well everybody give a warm round of applause for james