A security researcher found a Bluetooth vulnerability in a popular at-home COVID-19 test allowing him to modify its results.
F-Secure researcher Ken Gannon identified the since-fixed flaw in the Ellume COVID-19 Home Test, a self-administered antigen test that individuals can use to check to see if they have been infected with the virus. Rather than submitting a sample to a testing facility, the sample is tested using a Bluetooth analyzer, which then reports the result to the user and health authorities via Ellume’s mobile app.
Gannon found, however, that the built-in Bluetooth analyzer could be tricked to allow a user to falsify a certifiable result before the Ellume app processes the data.
To carry out the hack, Gannon used a rooted Android device to analyze the data the test was sending to the app. He then identified two types of Bluetooth traffic that were most likely in charge of telling the mobile app if the user was COVID positive or negative, before writing two scripts that were able to successfully change a negative result into a positive one.
The faked results from the Ellume at-home COVID-19 test. (Image Credis: F-Secure)
Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.
While Gannon’s writeup only includes changing negative results to positive ones, he says that the process "works both ways.” He also said that, before it was patched, “someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.” In theory, a fake certification could be submitted to meet U.S. re-entry requirements.
In response to F-Secure’s findings, Ellume says it has updated its system to detect and prevent the transmission of falsified results.
“We will also deliver a verification portal to allow authorities -- including health departments, employers, schools, event organizers and others -- to verify the authenticity of the Ellume COVID-19 Home Test,” said Alan Fox, Ellume's head of Information Systems. “Ellume is confident in the reliability of our ECHT test result, and we would like to thank F-Secure for bringing this issue to our attention and for the work they do every day to protect consumers, businesses and organizations around the globe.”