A Bluetooth bug allows faking a positive COVID-19 test

Researchers exploited a vulnerability in the popular Ellume COVID-19 Home Test to get a positive test.

With the world unable to ease the grip of the pandemic, testing remains an unwelcome albeit an important fact of life. However, researchers at F-Secure showed it was possible to engineer a positive test.

The test in question was the Ellume COVID-19 Home Test, a self-administered antigen test that allows users to see if they have been infected with the virus.

The test works with a Bluetooth analyzer that allows to bypass testing facilities and provides the user and health authorities with the result via Ellume’s mobile app.

To trick the test, F-Secure’s researcher Ken Gannon managed to trick the analyzer before the data was transmitted to the app. The manufacturer of the test has since fixed the vulnerability.

"Our research involved changing a negative test result to positive, but the process works both ways."

-Ken Gannon, a security consultant at F-Secure.

For the hack to work, the researcher used a rooted Android device. Launching an in-app process meant for activity debugging, Gannon was able to interact with the test analyzer over Bluetooth.

Since two types of Bluetooth traffic from the test to the device are responsible for whether the test was positive, researchers wrote traffic-specific scripts that changed a negative result into a positive one.

According to the research, at the time of the experiment, the Ellume test was a legitimate option to provide a negative test result in the United States. A third-party company Azova would observe if the test is done correctly and provide a certificate of the results.

The test researchers hacked to change test results. Image by F-Secure.

“To prove that F-Secure could fake a positive COVID test and obtain a certificate from Azova, the F-Secure Marketing Manager Alexandra Rinehimer took the COVID test while being supervised,” Gannon writes.

Even though the test was negative, the script researchers wrote did change the result to positive, prompting Azova to provide the certificate with an indication “positive” under the results column.

“Our research involved changing a negative test result to positive, but the process works both ways. Prior to Ellume’s fixes, highly skilled individuals or organizations with cyber security expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings,” explained Gannon.

Copy of the certificate with a 'positive' test result, engineered by the researchers. Image by F-Secure.

In practice, this means that hackers could have engineered themselves a certificate In practice, this means that hackers could have engineered themselves a certificate necessary to take part in certain activities in the US and entry to the country.

F-Secure informed Ellume about the issue, and the company has since fixed the problem. According to Alan Fox, the Head of Information Systems at Ellume, the company confirmed no other results were impacted.

“We will also deliver a verification portal to allow authorities – including health departments, employers, schools, event organizers, and others – to verify the authenticity of the Ellume COVID-19 Home Test,” Fox said.

More from CyberNews:

Apache found critical bugs in httpd web server

Americans bombarded with billions of scam calls in 2021 - report

Five Russians charged millions for hacking and insider trading

Novel Abcbot starts targeting CSPs, a signal of a future DDoS attack

Most corporate networks can be breached in two days - research

Subscribe to our newsletter