A Bluetooth Bug In a Popular At-Home COVID-19 Test Could Falsify Results

An anonymous reader quotes a report from TechCrunch: A security researcher found a Bluetooth vulnerability in a popular at-home COVID-19 test allowing him to modify its results. F-Secure researcher Ken Gannon identified the since-fixed flaw in the Ellume COVID-19 Home Test, a self-administered antigen test that individuals can use to check to see if they have been infected with the virus. Rather than submitting a sample to a testing facility, the sample is tested using a Bluetooth analyzer, which then reports the result to the user and health authorities via Ellume's mobile app. Gannon found, however, that the built-in Bluetooth analydzer could be tricked to allow a user to falsify a certifiable result before the Ellume app processes the data.

To carry out the hack, Gannon used a rooted Android device to analyze the data the test was sending to the app. He then identified two types of Bluetooth traffic that were most likely in charge of telling the mobile app if the user was COVID positive or negative, before writing two scripts that were able to successfully change a negative result into a positive one. Gannon says that when he received an email with his results from Ellume, it incorrectly showed he had tested positive. To complete the proof-of-concept, F-Secure also successfully obtained a certified copy of the faked COVID-19 test results from Azova, a telehealth provider that Ellume partners with for certifying at-home COVID-19 tests for travel or going into work.

While Gannon's writeup only includes changing negative results to positive ones, he says that the process "works both ways." He also said that, before it was patched, "someone with the proper motivation and technical skills could've used these flaws to ensure they, or someone they're working with, gets a negative result every time they're tested." In theory, a fake certification could be submitted to meet U.S. re-entry requirements. In response to F-Secure's findings, Ellume says it has updated its system to detect and prevent the transmission of falsified results.

Hey guess what

[SuperKendall]

I'll bet that if I sniffed the traffic from that app I could forge it to say anything I like, all without every having had to mess with bluetooth.

A user home-reporting is ALWAYS going to be potentially unreliable, just as any client ever should always be untrustworthy. Plan your reaction to the results accordingly, which means don't treat any home testing results as gospel.

Followup: More stupid concern than first thought

[SuperKendall]

I'll bet that if I sniffed the traffic from that app I could forge it to say anything I like

Scratch that, after some thought it's much more simple than that - how does the app ever know you really swabbed a human? I could just rub an orange or a pot roast or anything else over the test and it would happily report there was no Covid to be found. So why is anyone concerned that someone could theoretically work around a report from the device itself over Bluetooth when there are a million ways to forge any r

Re:

[Anonymous Coward]

Scratch that, after some thought it's much more simple than that - how does the app ever know you really swabbed a human? I could just rub an orange or a pot roast or anything else over the test and it would happily report there was no Covid to be found.

There are two antigens and three spots that act as sensors sensors.

Ever notice how a pregnancy test strip says it will display one line or two?
The one line is a control and is there to detect markers in the proper bodily fluid. The other line is the reactive chemical for detection.
The control detector is also the last one along the strip, which serves to also indicate enough fluid entered the wicking channel.

At home drug tests use the exact same method. Supervised drug tests however will change up the con

Re:

[Anonymous Coward]

It's only "at home" if you want the result for your private information. In the exploit they were supervised by a professional as required to obtain the official certificate. The trick is they used the user's phone, which was suitably programmed to intercept and alter the wireless data. Most definitive solution could be to just disallow the use of personal devices for the official test (like some school exams).

Re:

[SuperKendall]

The one line is a control and is there to detect markers in the proper bodily fluid.

That probably is the case, however another workaround is to use someone you know is "clean" (like a child or some other family member who has not been out for a while).

Any unsupervised test should never be used as an officially verified result.

Yeah that part is crazy.

Re:

[AmiMoJo]

These devices could be useful at places like airports or other venues where they want to test people. An attacker could ensure that their test comes back negative.

Re:

[e3m4n]

the at-home kits that are accepted as proof (such as vaccinated persons going on a cruise that dont require PCR) require a video proctor to verify you took a sample from yourself and not, say, your neighbor. They have to watch you swab your nose and run the test. I suppose if this kit is one of the ones that use a proctor, it is possible to return a negative to enable a successful boarding. However, the number of people who know they are positive and willingly spread a contagion is an astronomically small n

Re:

[hawk]

>I could just rub an orange or a pot roast or anything else over the
>test and it would happily report there was no Covid to be found.

Nah, they thought of this.

It reports one of four results:

Positive
Negative
Inconclusive, or
Tasty.

:)

Hmmm, a familiar ethical quandary

[rmdingler]

lt is said that Political corruption always exists. The extent to which it is allowed to interfere in the lives of ordinary citizens is the same as the extent government is allowed to interfere in the markets, and in people's private lives. Certain types of governing encourage the excess of this interference by corruption, and certain types of governing discourage it.

In much the same vein, there are folks who will game the system of covid testing to their imagined advantaged individual benefit... to the det

white knight

[Anonymouse Cowtard]

Good thing he reported this rather than reap buckets of virtual currency on the virtually private virtually dark virtual web.

Re:

[evanh]

A typo? Shouldn't that be *DON'T* get vaccinated.

Re:

[mce]

Apparently some of the smarter Republicans are finally beginning to see what's going on. The virus doesn't care at all whether you are R or D, but if science denying R's insist on doing their very best to get infected (and possibly die) more often, "just because the D's are now in charge and shall not ever control my R-valued life", then the D's are more likely to remain in charge.

Re: Until you get rid of the Democrats...

[rpnx]

Yup turns out with more republicans dying from covid than democrats it gives democrats an advantage in the elections... darwinism in action?

Even Trump is vaccinated and got the booster

[CaptQuark]

Even Trump has been vaccinated and gotten the booster, along with Bill Riley. Trump was booed for admitting it, but most people are realizing getting vaccinated is no longer a political statement.
https://www.washingtonpost.com... [washingtonpost.com]

Re:

[CubicleZombie]

Apparently some of the smarter Republicans are finally beginning to see what's going on.

It's not the vaccine we're opposed to. It's the mandate. I've had my shots but I support other people's freedom to make stupid choices.

Re:

[mce]

So you/they'd rather die just because someone insists in saving you/them? Such behavior is exactly the counterproductive stupidity that I described.

Note that I'm not expressing any specific opinion here w.r.t. mandates. I might even not like them myself . But I'm sure as hell not going to die for my god given right to be stupid. He (or She, or It, Or They, Or ..., as you prefer) also gave me a brain and thereby an obligation to use it...

Re:

[CubicleZombie]

I don't care at all what other people do.

Re:

[CaptQuark]

A typo? Shouldn't that be *DON'T* get vaccinated.

I assume you didn't notice the post was made from a troll account pretending to be rsilvergun. "rsilvergIn ( 8596651 )" is just trying to sow confusion and knows most of us would just ignore the post if it came from an AC. The person created about 10 different misspellings of rsilvergun and uses them until his karma goes to -1, then gens up another.

Mhmm. And if I swab a sterile saline solution

[RightwingNutjob]

instead of my nose?

And if I swab my wife or kid or neighbor instead of myself?

Heinlein once wrote something about a death ray being useless if you beat the shit out of the gunner with a club.

Re:

[tsa]

Heinlein was the King of Open Doors.

Maybe this is why...

[I75BJC]

Ellume recalled their COVID-19 Home Tests.
They called a lot of there testers. Too bad because these testers were easy to use and the results were available in about 15 minutes. Personally, I found that the results were correct (I didn't try to hack them) as confirmed by a hospital ER.

A Bluetooth Bug? In a Medical test?

[oldgraybeard]

Must be because the blockchain used had a flexible output.

Re:

[thegarbz]

It's okay, we as soon as we identify the bug we'll sell the code as a NFT and be laughing all the way to the bank.

Wut?

[DrXym]

A blue tooth connected testing device connected to a phone. WTF is all this complexity even for??? If you need to take a LFT test, buy a pack of them, follow the procedure and a little line says if you're (probably) infected or (probably) not.

I assume all this stupid overkill bullshit is doing is making you run the same test, waiting some time for the line to appear and then a light sensor looks at the line and then translates it into a readout. Exactly how digital pregnancy test kits work too, except eleventy times more stupid than even that since it has an app and bluetooth as well.

Re:

[thegarbz]

WTF is all this complexity even for???

Ever wonder why labs use test equipment rather than just disposable pH strips when testing water? Hint: If you're okay getting a handful of disposable LFT tests then you're not the target market for this product.

Re:

[bws111]

You do realize that the reason people are taking these tests is so they can provide proof of a negative test to third parties, right? Carrying a test strip around, and expecting, for instance, the hostess at a restaurant to interpret it, is eleventy times more stupid than having the result on your phone.

Re:

[DrXym]

No restaurant would demand this as a condition of entry and if they did then they're idiots and they won't have customers.

I suppose some employers might pay for kits and require staff to use it in the morning, or people traveling who need a negative test. But it is trivially easy to subvert the system and there would be an incentive for people to do it too if they wanted to work / travel even with COVID like symptoms.

Why?

[ThurstonMoore]

Why does a Covid test need fucking bluetooth?

Re:

[sabbede]

It wouldn't be expensive enough otherwise? Or maybe they ran out of indicator strips but had an assload of bluetooth-enabled SoCs? Oh, perhaps they assumed that nobody knows how to look at things that aren't their phones anymore?

Re:

[bws111]

Or maybe for a perfectly reasonable reason - so you have evidence of the test you can present to third parties, which was presumably the reason for taking the test in the first place.