The Elephant in the Room: Software and Hardware Security Vulnerabilities of Portable Sequencing Devices

TL;DR

Portable genome sequencing devices introduce new security and privacy vulnerabilities due to their connectivity and hardware, requiring enhanced safeguards like authentication, integrity checks, and encryption to protect sensitive genomic data.

Contribution

This paper identifies security and privacy risks specific to portable sequencing devices and offers practical recommendations for safeguarding genomic data in this emerging context.

Findings

Highlight security risks from connected devices and networks

Recommend authentication, integrity checks, and encryption measures

Emphasize need for ongoing security reevaluation as technology evolves

Abstract

Portable genome sequencing technology is revolutionizing genomic research by providing a faster, more flexible method of sequencing DNA and RNA [1, 2]. The unprecedented shift from bulky stand-alone benchtop equipment confined in a laboratory setting to small portable devices which can be easily carried anywhere outside the laboratory network and connected to untrusted external computers to perform sequencing raises new security and privacy threats not considered before. Current research primarily addresses the privacy of DNA/RNA data in online databases [3] and the security of stand-alone sequencing devices such as Illumina [4]. However, it overlooks the security risks arising from compromises of computer devices directly connected to portable sequencers as illustrated in Fig. 1. While highly sensitive data, such as the human genome, has become easier to sequence, the networks connecting to these smaller devices and the hardware running basecalling can no longer implicitly be trusted, and doing so can deteriorate the confidentiality and integrity of the genomic data being processed. Here, we present new security and privacy threats of portable sequencing technology and recommendations to aid in ensuring sequencing data is kept private and secure. First, to prevent unauthorized access to sequencing devices, IP addresses should not be considered a sufficient authentication mechanism. Second, integrity checks are necessary for all data passed from the sequencer to external computers to avoid data manipulation. Finally, encryption should be considered as data is passed from the sequencer to such external computers to prevent eavesdropping on data as it is sent and stored. As devices and technology rapidly change, it becomes paramount to reevaluate security requirements alongside them or risk leaving some of our most sensitive data exposed.