F-Secure uses flaw in at-home COVID-19 test to fake results

Safety researchers used a Bluetooth vulnerability to alter destructive outcomes to optimistic.


Safety researchers at F-Safe recognized a Bluetooth vulnerability in a house take a look at for COVID-19 that could possibly be used to govern take a look at outcomes. Ellume, the producer, addressed the flaw when F-Safe shared the issue with them.

Picture: F-Safe

Safety researchers discovered a vulnerability in a house take a look at for COVID-19 {that a} unhealthy actor might use to alter take a look at outcomes from optimistic to destructive or vice versa. F-Safe discovered that the Ellume COVID-19 Residence Check could possibly be manipulated through the Bluetooth gadget that analyzes a nasal pattern and communicates the outcomes to the app.

Ellume mounted the flaw after F-Safe defined the vulnerability. Ellume is likely one of the checks travellers can use to enter the USA. Some occasion organizers are requiring proof of vaccination for attendees, together with CES 2022. If an attendee checks optimistic throughout that occasion, she or he will likely be requested to return the occasion badge and quarantine for 10 days. 

This is how the take a look at works: A consumer downloads an app, solutions just a few screening questions, watches an informational video after which performs the take a look at. The testing gadget connects to the app through Bluetooth to report the take a look at outcomes. 

The corporate defined the flaw this manner:

“F-Safe decided that by altering solely the byte worth representing the ‘standing of the take a look at’ in each STATUS and MEASUREMENT_CONTROL_DATA visitors, adopted by calculating new CRC and checksum values, it was doable to change the COVID take a look at outcome earlier than the Ellume app processes the information.”

Safety researchers exploited the vulnerability to alter a destructive take a look at to optimistic. The app mechanically reviews the required knowledge to well being authorities through a HIPAA compliant cloud connection. 

Allume additionally gives a video statement service to confirm the test-taking course of and the outcomes. A proctor watches a person taking the take a look at after which points a certificates with the outcomes.

 This false report was mirrored within the official certificates issued by Ellume, which listed a optimistic take a look at outcome for COVID-19. F-Safe posted the analysis information for this experiment on Github.

Ken Gannon, a principal safety marketing consultant in F-Safe’s New York Metropolis workplace, discovered the flaw that permits a nasty actor to alter the outcomes after the Bluetooth analyzer performs the take a look at however earlier than the outcomes are reported by the app.

“Previous to Ellume’s fixes, extremely expert people or organizations with cybersecurity experience attempting to bypass public well being measures meant to curb COVID’s unfold, might’ve finished so by replicating our findings,” Gannon stated in a press launch. “Somebody with the right motivation and technical abilities might’ve used these flaws to make sure they, or somebody they’re working with, will get a destructive outcome each time they’re examined.”

F-Safe contacted Ellume to elucidate these findings earlier than making a public announcement and really helpful that the corporate take these steps: 

  • Implement additional evaluation of outcomes to flag spoofed knowledge
  • Implement extra obfuscation and OS checks within the Android app

Alan Fox, head of knowledge techniques at Ellume, stated in a press launch that the corporate has up to date its system to detect and stop the transmission of falsified outcomes. 

“We may even ship a verification portal to permit organizations — together with well being departments, employers, colleges and others — to confirm the authenticity of the Ellume COVID-19 Residence Check,” he stated. “We wish to thank F-Safe for bringing this difficulty to our consideration.”

Ellume’s house take a look at was permitted by the FDA in December 2020 and is likely one of the take a look at worldwide travellers can use to point out destructive take a look at outcomes.

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox