AMSBIO's cfPure kits for rapid and efficient isolation of circulating cell free DNA
Their tests primarily used a public collection of human DNA sequences available for research. They also carried out a proof of concept test in the GEDMatch database but without interacting with other users' DNA data.
In IBS tiling, an attacker uploads several genomes found in public research databases and keeps track of which ones match with other genomes in the database, and where. If they can find enough matching tiles, they can put together most of someone's genome.
IBS probing can be used to hunt for people who carry a specific genetic variant - for example, a gene tied to Alzheimer's disease. To do this, the attacker creates a fake genome with a DNA sequence that isn't likely to match anyone, except for one small section that will match the gene of interest. Matches from the database are likely to be people with this genetic variant.
Finally, IBS baiting relies on tricking one class of algorithms used to identify relatives. (Not all databases use this type of algorithm, though). Coop and Edge calculate that with as few as 100 uploaded DNA sequences, an attacker could use this method to obtain most of the genomic information in a database.
Coop and Edge carried out a proof-of-concept test with the GEDMatch database in December 2019. Working with only with DNA sequences they had uploaded and using GEDMatch's 'research mode' so as not to interact with other users' data, they showed that IBS baiting could be used to identify specific genetic variants (single nucleotide polymorphisms, or SNPs) in the database.
All three attacks could be carried out by someone with knowledge of genetics and computing, such as a graduate student or serious hobbyist, but "the good news is that it's quite preventable," Edge said.
Coop and Edge's paper sets out a series of steps direct-to-consumer genetics services could take to block these attacks. While they have already shared the information with the leading services, they have had a 'varied' response, Coop said.
Using these services necessarily involves giving up personal information, and millions of people seem willing to do that in exchange for researching family history or other personal uses. But users should be more aware of exactly how much information they might be giving up when they access these services.
"We would like (the services) to clarify their vulnerabilities and how they're addressing them," Coop said. Source: