A security researcher was able to change the results of an at-home COVID test and get those results certified by intercepting and modifying Bluetooth traffic from the device before it reached the app. The researcher, Ken Gannon, found the flaw in Ellume’s nasal swab test, which is designed to analyze and transmit data to a companion app which displays and saves the results. According to a press release from F-Secure, the security company Gannon consults for, Ellume has now fixed the issue.
The process of falsifying results wasn’t a simple one — according to F-Secure’s writeup, the researcher used a rooted Android device to tap into and analyze the data the tester was sending to the app. From there, Gannon was able to determine how the results were sent, and how their authenticity was verified. Then, he wrote two scripts that were able to successfully change a negative result into a positive one. When he got an email with his results from Ellume, he says, it incorrectly showed he had tested positive. If you’re interested in the technical details, you can read the writeup here.
Ellume says it followed F-Secure’s recommendations to do more analysis to ensure that data was accurate, and made changes to the app that should make it harder to analyze its data or take over the data transmission. Gannon told The Verge in an email that he didn’t test to see if his research was applicable to the iOS version of the app, and that the goal of his research was “to see if an ‘average person’ can fake a positive/negative COVID test.” He said that, in theory, “a dedicated threat actor could use [his] research to modify the Ellume app to always report a positive / negative result,” which could be installed on a non-rooted phone.
While Gannon’s writeup only includes changing negative results to positive ones, he says in F-Secure’s press release that “the process works both ways.” Before Ellume’s patches, Gannon says that “someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.”
In theory, a fake certification could be submitted to meet US re-entry requirements. Not only was F-Secure able to get an incorrect result certified, it did so without a video test supervisor being able to detect it.
The press release says Ellume is now working on a “verification portal” that will let authorities verify that its at-home tests are authentic, and has gone back to analyze all its previous results for accuracy. Ellume says it found that none of them had been faked.