Upon selecting this product for probing among a host of other new internet-enabled products, security researchers at F-Secure have shared their findings with others on the collaborative developer repository GitHub. F-Secure’s recent report entitled “FAKING A POSITIVE COVID TEST” was published by Ken Gannon on December 21st, 2021. According to the report, the team at F-Secure was able to successfully falsify COVID-19 test results and even obtain a certificate that verified the results.
The Ellume COVID-19 Home Test
The Ellume COVID-19 Home Test is a smart COVID-19 nasal sample home test. A Bluetooth-enabled device analyzes nasal samples, which it then passes to a proprietary smartphone application. The test has been authorized by the FDA and CDC and promises accurate results in 15 minutes. The test also fully complies with CDC requirements and HIPAA, with which it communicates through a proprietary, encrypted cloud connection. Ellume states that this patented test is “the only rapid home antigen test clinically proven for use with and without symptoms” that is 96% accurate, suitable for patients aged two years and older. The test comprises:
A nasal swab Processing fluid A dropper A Bluetooth analyzer that connects to an app
What Security Researchers at F-Secure Found
Security researchers at F-Secure discovered vulnerabilities in the proprietary Android smartphone app for Ellume’s COVID-19 Home Test. According to F-Secure Labs, the Android app contained an activity called “com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity.” This was an un-exported activity that, in the hands of someone with root access, could allow a user to directly interact with the analyzer via Bluetooth. By intercepting the Bluetooth data traveling to and from the device, the team was able to deduce two types of traffic: STATUS and MEASUREMENT_CONTROL_DATA. The team then converted this traffic data into “human readable data” and later was able to modify the data stream by changing minuscule byte values. Subsequently, the team was able to alter the COVID test result by “hooking” into multiple areas to modify BLE traffic. This was done before any processing by Ellume’s app took place.
Frida Script and Xposed Module
The team at F-Secure was able to create two PoC (Proof-of-Concept) hooks: a Frida script and an Xposed module. By using the Frida hook, a negative test could be changed into a positive test, which was later confirmed by an official email from Ellume. Secondly, launching the test with the Xposed Module hook successfully tricked third-party Azova’s supervision process.
Evidence of Cybersecurity Risks of IoT Devices
It is well known to the cybersecurity community that Bluetooth devices are vulnerable. The analyzer in this test, which comes with a supplementary app, is more proof that IoT (Internet of Things) smart devices and their proprietary software are extremely vulnerable to interception and alteration. For this reason, developed nations are introducing security legislation for IoT devices as IoT devices are a challenge for security teams. Adding to that, there is ample evidence that cybercriminals are increasingly targeting IoT devices. In this case, even third-party supervisor Azova, who offer to observe the test process via video, was not able to ascertain that something was off. This means that faked test results could theoretically allow travelers to enter the USA.
Issue Has Been Resolved
Ellume has since fixed this issue after F-Secure reached out to them with this study. Ellume has stated that they are implementing further analysis to catch spoofed data, and adding OS checks and obfuscation to help remedy the issues in the Android app. Furthermore, Ellume is in the process of creating a verification portal that will properly verify test results from the COVID-19 Home Test in the future.
