A Bluetooth bug allows faking a positive COVID-19 test
Researchers exploited a vulnerability in the popular Ellume COVID-19 Home Test to get a positive test.
With the world unable to ease the grip of the pandemic, testing remains an unwelcome albeit an important fact of life. However, researchers at F-Secure showed it was possible to engineer a positive test.
The test in question was the Ellume COVID-19 Home Test, a self-administered antigen test that allows users to see if they have been infected with the virus.
The test works with a Bluetooth analyzer that allows to bypass testing facilities and provides the user and health authorities with the result via Ellume’s mobile app.
To trick the test, F-Secure’s researcher Ken Gannon managed to trick the analyzer before the data was transmitted to the app. The manufacturer of the test has since fixed the vulnerability.
"Our research involved changing a negative test result to positive, but the process works both ways."-Ken Gannon, a security consultant at F-Secure.
For the hack to work, the researcher used a rooted Android device. Launching an in-app process meant for activity debugging, Gannon was able to interact with the test analyzer over Bluetooth.
Since two types of Bluetooth traffic from the test to the device are responsible for whether the test was positive, researchers wrote traffic-specific scripts that changed a negative result into a positive one.
According to the research, at the time of the experiment, the Ellume test was a legitimate option to provide a negative test result in the United States. A third-party company Azova would observe if the test is done correctly and provide a certificate of the results.
“To prove that F-Secure could fake a positive COVID test and obtain a certificate from Azova, the F-Secure Marketing Manager Alexandra Rinehimer took the COVID test while being supervised,” Gannon writes.
Even though the test was negative, the script researchers wrote did change the result to positive, prompting Azova to provide the certificate with an indication “positive” under the results column.
“Our research involved changing a negative test result to positive, but the process works both ways. Prior to Ellume’s fixes, highly skilled individuals or organizations with cyber security expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings,” explained Gannon.
In practice, this means that hackers could have engineered themselves a certificate In practice, this means that hackers could have engineered themselves a certificate necessary to take part in certain activities in the US and entry to the country.
F-Secure informed Ellume about the issue, and the company has since fixed the problem. According to Alan Fox, the Head of Information Systems at Ellume, the company confirmed no other results were impacted.
“We will also deliver a verification portal to allow authorities – including health departments, employers, schools, event organizers, and others – to verify the authenticity of the Ellume COVID-19 Home Test,” Fox said.
More from CyberNews:
Subscribe to our newsletter