A security researcher discovered a Bluetooth weakness in the famous COVID-19 at-home exam, which allowed him to alter the findings. F-Secure researcher Ken Gannon in the Ellume COVID-19 Home Test, a self-administered antigen test that anyone may use to detect if infected with the virus, discovered the issue.
Rather than sending a sample to a lab, Ellume’s mobile app tests the sample with a Bluetooth analyzer, which subsequently transmits the results to the user and health authorities. However, Gannon discovered that the built-in Bluetooth analyzer could manipulate to allow a user to fabricate a verifiable result before the Ellume app processed it.
Gannon utilized a rooted Android handset to study the data the test was passing to the app in order to carry out the hack. He then discovered two sorts of Bluetooth communication that were most likely in charge of informing the mobile app whether the user was COVID positive or negative, and wrote two scripts that effectively changed a negative result into a positive one.
Gannon claims that an email from Ellume with his findings wrongly said that he had tested positive. F-Secure also successfully secured a certified copy of the counterfeit COVID-19 test results from Azova, a telehealth provider with whom Ellume collaborates for certifying at-home COVID-19 testing for travel or going to work, to complete the proof-of-concept.
While Gannon’s description only mentions transforming negative to good results, he claims that the procedure “works both ways.” “Someone with the necessary drive and technical abilities could’ve leveraged these issues to ensure them, or someone they’re working with, gets a poor result every time they’re tested,” he said before it corrected. In principle, a false certification might be used to fulfill re-entry criteria in the United States. Ellume claims it has modified its system to identify and block the transmission of fraudulent data in response to F-discoveries. Secure’s
“We will also give a verification platform that will allow authorities — such as health agencies, employers, schools, event organizers, and others — to validate the legitimacy of the Ellume COVID-19 Home Test,” Alan Fox, Ellume’s head of Information Systems, stated.
“Ellume is confident in the accuracy of our ECHT test results, and we want to appreciate F-Secure for bringing this to our notice and for the work they do every day to safeguard consumers, businesses, and organizations all across the world.”