Security researchers at F-Secure identified a Bluetooth vulnerability in a home test for COVID-19 that could be used to manipulate test results. Ellume, the manufacturer, addressed the flaw when F-Secure shared the problem with them.
Image: F-Secure

Security researchers found a vulnerability in a home test for COVID-19 that a bad actor could use to change test results from positive to negative or vice versa. F-Secure found that the Ellume COVID-19 Home Test could be manipulated via the Bluetooth device that analyzes a nasal sample and communicates the results to the app.

Ellume fixed the flaw after F-Secure explained the vulnerability. Ellume is one of the tests travellers can use to enter the United States. Some event organizers are requiring proof of vaccination for attendees, including CES 2022. If an attendee tests positive during that event, he or she will be asked to return the event badge and quarantine for 10 days.

Here’s how the test works: A user downloads an app, answers a few screening questions, watches an informational video and then performs the test. The testing device connects to the app via Bluetooth to report the test results.

The company explained the flaw this way:

“F-Secure determined that by changing only the byte value representing the ‘status of the test’ in both STATUS and MEASUREMENT_CONTROL_DATA traffic, followed by calculating new CRC and checksum values, it was possible to alter the COVID test result before the Ellume app processes the data.”

Security researchers exploited the vulnerability to change a negative test to positive. The app automatically reports the required data to health authorities via a HIPAA compliant cloud connection.

Allume also offers a video observation service to verify the test-taking process and the results. A proctor watches an individual taking the test and then issues a certificate with the results.

This false report was reflected in the official certificate issued by Ellume, which listed a positive test result for COVID-19. F-Secure posted the research files for this experiment on Github.

SEE: Dreampass from Salesforce makes vaccine verification easy for in-person events

Ken Gannon, a principal security consultant in F-Secure’s New York City office, found the flaw that allows a bad actor to change the results after the Bluetooth analyzer performs the test but before the results are reported by the app.

“Prior to Ellume’s fixes, highly skilled individuals or organizations with cybersecurity expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings,” Gannon said in a press release. “Someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.”

F-Secure contacted Ellume to explain these findings before making a public announcement and recommended that the company take these steps:

  • Implement further analysis of results to flag spoofed data
  • Implement additional obfuscation and OS checks in the Android app

Alan Fox, head of information systems at Ellume, said in a press release that the company has updated its system to detect and prevent the transmission of falsified results.

“We will also deliver a verification portal to allow organizations — including health departments, employers, schools and others — to verify the authenticity of the Ellume COVID-19 Home Test,” he said. “We would like to thank F-Secure for bringing this issue to our attention.”

Ellume’s home test was approved by the FDA in December 2020 and is one of the test international travellers can use to show negative test results.