Security vendor F-Secure has faked a COVID test result on a Bluetooth-equipped home COVID Test. Thankfully the vendor’s since fixed the device.
The firm tested the Ellume COVID-19 Home Test, a device selected specifically because it uses a “Bluetooth connected analyzer for use with an app on your phone.”
As F-Secure probed the device and its companion app, its researchers spotted an un-exported activity called
com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity Users with root level access to an Android machine can launch that activity to “help interact with the analyzer over Bluetooth”, F-Secure found.
Further footling found two types of Bluetooth traffic related to communicating test results. F-Secure’s researchers were able to mess with those, as follows:
By changing only the byte value representing the "status of the test" in both STATUS and MEASUREMENT_CONTROL_DATA traffic, followed by calculating new CRC and checksum values, it was possible to alter the COVID test result before the Ellume app processes the data.
It gets worse: faked data produced by Ellume unit was happily ingested by an outfit named Azova that certifies the results of COVID tests so that travelers can enter the USA. F-Secure’s post details a test in which one of its staff used the Ellume device to test for COVID, produced a negative result, but used the methods above to falsify the results.
- UK.gov emits draft IoT and smartphone security law for Parliamentary scrutiny
- UK Ministry of Justice secures HVAC systems 'protected' by passwordless Wi-Fi after Register tipoff
- Research finds consumer-grade IoT devices showing up... on corporate networks
The security company explained its work to Ellume and recommended some changes. F-Secure’s post states that Ellume has followed those recommendations and implemented:
- Further analysis of results to flag spoofed data
- Additional obfuscation and OS checks in the Android app
F-Secure has shared its work on GitHub.
Alan Fox, Ellume's head of information systems, sent the following statement to The Register:
“Ellume has updated our system to detect and prevent the transmission of falsified results. In addition, we have analyzed all results to-date and confirmed no other results were impacted. We will also deliver a verification portal to allow authorities – including health departments, employers, schools, event organizers and others – to verify the authenticity of the Ellume COVID-19 Home Test."
“Our test is already one of the most secure on the market and thanks to F-Secure’s insights, our ECHT is now even more secure – particularly compared to currently available non-digital tests, which can be easily falsified simply by putting soda or water on the test without requiring any specialized skills. Ellume is confident in the reliability of our ECHT test result, and we would like to thank F-Secure for bringing this issue to our attention and for the work they do every day to protect consumers, businesses and organizations around the globe." ®