Researchers at F-Secure tested a Bluetooth-equipped home COVID-19 test and were able to fake the test result.
To check, the experts took the device Ellume COVID-19 Home Test which uses the analyzer, which connects to a smartphone via Bluetooth and is paired with a corresponding companion app.
During tests, researchers noticed activity com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity. It turned out that users with root access can run it to “help interact with the analyzer via Bluetooth.”
Further investigation revealed two types of Bluetooth traffic associated with the transmission of test results. The researchers write that they were able to intervene in traffic as follows:
“By changing only the value of one byte in the status of the test in STATUS and MEASUREMENT_CONTROL_DATA traffic, followed by the calculation of new CRC and checksum values, could change the test result to COVID even before the Ellume application processes the data. “
Worse, the fake data provided by Ellume has been successfully accepted by Azova, which certifies COVID test results so that travelers can enter the United States.
Also, the F-Secure report details how one of the company’s employees used the Ellume device to test for COVID, the test turned out negative, but the experts applied the aforementioned methods to change the result.
Researchers from F-Secure shared their developments on GitHub.
Fortunately, the problem has now been fixed. The specialists notified the Ellume developers of their findings, and they made changes to their product. In particular, additional obfuscation and OS checks were introduced in the Android application, and now additional analysis of test results is being carried out, which is designed to identify fake data.
“Ellume has updated the system to detect and prevent the transmission of falsified results. In addition, we have reviewed all test results made to date and confirm that the other results were not affected by the error. We will provide a verification portal that will allow authorities (including health departments, employers, schools, event organizers, and so on) to verify the authenticity of Ellume’s COVID-19 home test, ”the developers said.