A Bluetooth Bug In a Popular At-Home COVID-19 Test Could Falsify Results (techcrunch.com) 39
An anonymous reader quotes a report from TechCrunch: A security researcher found a Bluetooth vulnerability in a popular at-home COVID-19 test allowing him to modify its results. F-Secure researcher Ken Gannon identified the since-fixed flaw in the Ellume COVID-19 Home Test, a self-administered antigen test that individuals can use to check to see if they have been infected with the virus. Rather than submitting a sample to a testing facility, the sample is tested using a Bluetooth analyzer, which then reports the result to the user and health authorities via Ellume's mobile app. Gannon found, however, that the built-in Bluetooth analydzer could be tricked to allow a user to falsify a certifiable result before the Ellume app processes the data.
To carry out the hack, Gannon used a rooted Android device to analyze the data the test was sending to the app. He then identified two types of Bluetooth traffic that were most likely in charge of telling the mobile app if the user was COVID positive or negative, before writing two scripts that were able to successfully change a negative result into a positive one. Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.
While Gannon's writeup only includes changing negative results to positive ones, he says that the process "works both ways." He also said that, before it was patched, "someone with the proper motivation and technical skills could've used these flaws to ensure they, or someone they're working with, gets a negative result every time they're tested." In theory, a fake certification could be submitted to meet U.S. re-entry requirements. In response to F-Secure's findings, Ellume says it has updated its system to detect and prevent the transmission of falsified results.
To carry out the hack, Gannon used a rooted Android device to analyze the data the test was sending to the app. He then identified two types of Bluetooth traffic that were most likely in charge of telling the mobile app if the user was COVID positive or negative, before writing two scripts that were able to successfully change a negative result into a positive one. Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.
While Gannon's writeup only includes changing negative results to positive ones, he says that the process "works both ways." He also said that, before it was patched, "someone with the proper motivation and technical skills could've used these flaws to ensure they, or someone they're working with, gets a negative result every time they're tested." In theory, a fake certification could be submitted to meet U.S. re-entry requirements. In response to F-Secure's findings, Ellume says it has updated its system to detect and prevent the transmission of falsified results.
Hey guess what (Score:2)
I'll bet that if I sniffed the traffic from that app I could forge it to say anything I like, all without every having had to mess with bluetooth.
A user home-reporting is ALWAYS going to be potentially unreliable, just as any client ever should always be untrustworthy. Plan your reaction to the results accordingly, which means don't treat any home testing results as gospel.
Followup: More stupid concern than first thought (Score:3, Insightful)
I'll bet that if I sniffed the traffic from that app I could forge it to say anything I like
Scratch that, after some thought it's much more simple than that - how does the app ever know you really swabbed a human? I could just rub an orange or a pot roast or anything else over the test and it would happily report there was no Covid to be found. So why is anyone concerned that someone could theoretically work around a report from the device itself over Bluetooth when there are a million ways to forge any r
Re: (Score:3, Insightful)
Scratch that, after some thought it's much more simple than that - how does the app ever know you really swabbed a human? I could just rub an orange or a pot roast or anything else over the test and it would happily report there was no Covid to be found.
There are two antigens and three spots that act as sensors sensors.
Ever notice how a pregnancy test strip says it will display one line or two?
The one line is a control and is there to detect markers in the proper bodily fluid. The other line is the reactive chemical for detection.
The control detector is also the last one along the strip, which serves to also indicate enough fluid entered the wicking channel.
At home drug tests use the exact same method. Supervised drug tests however will change up the con
Re: (Score:2, Interesting)
It's only "at home" if you want the result for your private information. In the exploit they were supervised by a professional as required to obtain the official certificate. The trick is they used the user's phone, which was suitably programmed to intercept and alter the wireless data. Most definitive solution could be to just disallow the use of personal devices for the official test (like some school exams).
Re: (Score:1)
The one line is a control and is there to detect markers in the proper bodily fluid.
That probably is the case, however another workaround is to use someone you know is "clean" (like a child or some other family member who has not been out for a while).
Any unsupervised test should never be used as an officially verified result.
Yeah that part is crazy.
Re: (Score:2)
These devices could be useful at places like airports or other venues where they want to test people. An attacker could ensure that their test comes back negative.
Re: (Score:2)
Re: (Score:2)
>I could just rub an orange or a pot roast or anything else over the
>test and it would happily report there was no Covid to be found.
Nah, they thought of this.
It reports one of four results:
Positive
Negative
Inconclusive, or
Tasty.
:)
Hmmm, a familiar ethical quandary (Score:1)
lt is said that Political corruption always exists. The extent to which it is allowed to interfere in the lives of ordinary citizens is the same as the extent government is allowed to interfere in the markets, and in people's private lives. Certain types of governing encourage the excess of this interference by corruption, and certain types of governing discourage it.
In much the same vein, there are folks who will game the system of covid testing to their imagined advantaged individual benefit... to the det
white knight (Score:1)
Re: (Score:2)
A typo? Shouldn't that be *DON'T* get vaccinated.
Re: (Score:2)
Re: Until you get rid of the Democrats... (Score:1)
Even Trump is vaccinated and got the booster (Score:2)
Even Trump has been vaccinated and gotten the booster, along with Bill Riley. Trump was booed for admitting it, but most people are realizing getting vaccinated is no longer a political statement.
https://www.washingtonpost.com... [washingtonpost.com]
Re: (Score:2)
Apparently some of the smarter Republicans are finally beginning to see what's going on.
It's not the vaccine we're opposed to. It's the mandate. I've had my shots but I support other people's freedom to make stupid choices.
Re: (Score:2)
Note that I'm not expressing any specific opinion here w.r.t. mandates. I might even not like them myself . But I'm sure as hell not going to die for my god given right to be stupid. He (or She, or It, Or They, Or ..., as you prefer) also gave me a brain and thereby an obligation to use it...
Re: (Score:2)
I don't care at all what other people do.
Re: (Score:2)
A typo? Shouldn't that be *DON'T* get vaccinated.
I assume you didn't notice the post was made from a troll account pretending to be rsilvergun. "rsilvergIn ( 8596651 )" is just trying to sow confusion and knows most of us would just ignore the post if it came from an AC. The person created about 10 different misspellings of rsilvergun and uses them until his karma goes to -1, then gens up another.
Mhmm. And if I swab a sterile saline solution (Score:2, Informative)
instead of my nose?
And if I swab my wife or kid or neighbor instead of myself?
Heinlein once wrote something about a death ray being useless if you beat the shit out of the gunner with a club.
Re: (Score:2)
Heinlein was the King of Open Doors.
Maybe this is why... (Score:1)
They called a lot of there testers. Too bad because these testers were easy to use and the results were available in about 15 minutes. Personally, I found that the results were correct (I didn't try to hack them) as confirmed by a hospital ER.
A Bluetooth Bug? In a Medical test? (Score:3)
Re: (Score:2)
It's okay, we as soon as we identify the bug we'll sell the code as a NFT and be laughing all the way to the bank.
Wut? (Score:3)
I assume all this stupid overkill bullshit is doing is making you run the same test, waiting some time for the line to appear and then a light sensor looks at the line and then translates it into a readout. Exactly how digital pregnancy test kits work too, except eleventy times more stupid than even that since it has an app and bluetooth as well.
Re: (Score:2)
WTF is all this complexity even for???
Ever wonder why labs use test equipment rather than just disposable pH strips when testing water? Hint: If you're okay getting a handful of disposable LFT tests then you're not the target market for this product.
Re: (Score:2)
You do realize that the reason people are taking these tests is so they can provide proof of a negative test to third parties, right? Carrying a test strip around, and expecting, for instance, the hostess at a restaurant to interpret it, is eleventy times more stupid than having the result on your phone.
Re: (Score:2)
I suppose some employers might pay for kits and require staff to use it in the morning, or people traveling who need a negative test. But it is trivially easy to subvert the system and there would be an incentive for people to do it too if they wanted to work / travel even with COVID like symptoms.
Why? (Score:2)
Why does a Covid test need fucking bluetooth?
Re: (Score:2)
Re: (Score:2)
Or maybe for a perfectly reasonable reason - so you have evidence of the test you can present to third parties, which was presumably the reason for taking the test in the first place.