Hackers were able to game third-party observed testing results using the Bluetooth-enabled Ellume COVID-19 Home Test without modifying the testing device, according to researchers, by running a script or modified testing application on their phone. Ellume patched that vulnerability.
The Ellume tests are an option for global travelers and other people who need to demonstrate negative COVID-19 results to take a test at home or in a hotel. In those cases, the tests would be monitored by video conference by a third-party group. The test results were routed from the device through a phone running an Ellume app to the cloud. By modifying the Bluetooth traffic on the phone running the app, a test taker could use a Ellume device from a sealed box on camera and still fabricate a positive or negative result.
F-Secure was able to obtain certified positive test results from Azova for a COVID-19 negative marketing manager.
Ken Gannon, a security consultant with F-Secure who discovered the vulnerability, said he hoped this would motivate security companies and manufacturers to do more testing on testing devices.
“I’m honestly surprised I’m the first one coming out with this kind of research,” he said.
To alter the test, Gannon used a script to modify a single bit carrying the positive or negative result in the “getValue” method of the Android Xposed module “android.bluetooth.BluetoothGattCharacteristic”. That script would require root access to the phone, but he said a side-loaded fake-Ellume app designed to modify the results would not.
More detail on the attack can be found on the F-Secure blog.
Gannon said he understood the utility of a phone-connected testing app that takes the uncertainty out of figuring out how many lines an analog device displays. But, he said, motivated people may never be trustworthy enough for those connected devices to be used for official results.
“A[n official] test for COVID should be 100% supervised by humans and verified by humans and not use Bluetooth,” he said.