A safety researcher was in a position to change the outcomes of an at-home COVID take a look at and get these outcomes licensed by intercepting and modifying Bluetooth site visitors from the system earlier than it reached the app. The researcher, Ken Gannon, discovered the flaw in Ellume’s nasal swab take a look at, which is designed to investigate and transmit knowledge to a companion app which shows and saves the outcomes. Based on a press launch from F-Safe, the safety firm Gannon consults for, Ellume has now fastened the problem.
The method of falsifying outcomes wasn’t a easy one — in accordance with F-Safe’s writeup, the researcher used a rooted Android system to faucet into and analyze the information the tester was sending to the app. From there, Gannon was in a position to decide how the outcomes have been despatched, and the way their authenticity was verified. Then, he wrote two scripts that have been in a position to efficiently change a detrimental consequence right into a optimistic one. When he obtained an electronic mail along with his outcomes from Ellume, he says, it incorrectly confirmed he had examined optimistic. In case you’re within the technical particulars, you may learn the writeup right here.
Ellume says it adopted F-Safe’s suggestions to do extra evaluation to make sure that knowledge was correct, and made modifications to the app that ought to make it more durable to investigate its knowledge or take over the information transmission. Gannon informed The Verge in an electronic mail that he didn’t take a look at to see if his analysis was relevant to the iOS model of the app, and that the aim of his analysis was “to see if an ‘common individual’ can faux a optimistic/detrimental COVID take a look at.” He mentioned that, in principle, “a devoted menace actor might use [his] analysis to switch the Ellume app to all the time report a optimistic / detrimental consequence,” which might be put in on a non-rooted telephone.
Whereas Gannon’s writeup solely consists of altering detrimental outcomes to optimistic ones, he says in F-Safe’s press launch that “the method works each methods.” Earlier than Ellume’s patches, Gannon says that “somebody with the correct motivation and technical expertise might’ve used these flaws to make sure they, or somebody they’re working with, will get a detrimental consequence each time they’re examined.”
In principle, a faux certification might be submitted to satisfy US re-entry necessities. Not solely was F-Safe in a position to get an incorrect consequence licensed, it did so with no video take a look at supervisor having the ability to detect it.
The press launch says Ellume is now engaged on a “verification portal” that can let authorities confirm that its at-home checks are genuine, and has gone again to investigate all its earlier outcomes for accuracy. Ellume says it discovered that none of them had been faked.
