A security researcher was able to modify the results of a home COVID test and have those results certified by intercepting and modifying Bluetooth traffic from the device before it reached the app. The researcher, Ken Gannon, found the flaw in Ellume’s nasal swab, which is designed to analyze data and forward it to a companion app that displays and stores the results. According to a press release from F-Secure, the security company Gannon is consulting with, Ellume has now fixed the issue.
The process of falsifying results wasn’t easy: According to F-Secure’s description, the researcher used a rooted Android device to tap and analyze the data the tester sent to the app. From there, Gannon could control how the results were sent and how their authenticity was verified. He then wrote two scripts that managed to turn a negative result into a positive one. When he got an email with his results from Ellume, he says, he falsely showed he had tested positive. If you are interested in the technical details, you can read the description here.
Ellume says it followed F-Secure’s recommendations to conduct more analysis to ensure the data was accurate, and made changes to the app that should make it more difficult to analyze the data or transfer the data. to take. Gannon told The edge in an email that he did not test to see if his research applied to the iOS version of the app, and that the purpose of his research was “to see if an ‘average person’ had a positive/negative COVID test.” He said, in theory, “could use a dedicated threat actor” [his] inquiry to modify the Ellume app to always report positive/negative result”, which can be installed on a non-rooted phone.
While Gannon’s description only includes turning negative results into positive ones, he says in F-Secure’s press release that “the process works both ways.” Before Ellume’s patches, Gannon said that “someone with the right motivation and technical skills could have used these flaws to ensure that they, or anyone they work with, get a negative result every time they are tested.”
In theory, a false certification could be filed to meet US re-entry requirements. Not only was F-Secure able to certify an incorrect result, it did so without a video test supervisor being able to detect it.
The press release says Ellume is now working on a “verification portal” that will allow authorities to verify that the tests at home are authentic, and has gone back to analyze all previous results for accuracy. Ellume says it found that none of them were faked.