Security researchers utilized a Bluetooth vulnerability to alteration antagonistic results to positive.
Security researchers recovered a vulnerability successful a location trial for COVID-19 that a atrocious histrion could usage to alteration trial results from affirmative to antagonistic oregon vice versa. F-Secure recovered that the Ellume COVID-19 Home Test could beryllium manipulated via the Bluetooth instrumentality that analyzes a nasal illustration and communicates the results to the app.
Ellume fixed the flaw aft F-Secure explained the vulnerability. Ellume is 1 of the tests travellers tin usage to participate the United States. Some lawsuit organizers are requiring impervious of vaccination for attendees, including CES 2022. If an attendee tests affirmative during that event, he oregon she volition beryllium asked to instrumentality the lawsuit badge and quarantine for 10 days.
Here's however the trial works: A idiosyncratic downloads an app, answers a fewer screening questions, watches an informational video and past performs the test. The investigating instrumentality connects to the app via Bluetooth to study the trial results.
The institution explained the flaw this way:
"F-Secure determined that by changing lone the byte worth representing the 'status of the test' successful some STATUS and MEASUREMENT_CONTROL_DATA traffic, followed by calculating caller CRC and checksum values, it was imaginable to change the COVID trial effect earlier the Ellume app processes the data."
Security researchers exploited the vulnerability to alteration a antagonistic trial to positive. The app automatically reports the required information to wellness authorities via a HIPAA compliant unreality connection.
Allume besides offers a video reflection work to verify the test-taking process and the results. A proctor watches an idiosyncratic taking the trial and past issues a certificate with the results.
This mendacious study was reflected successful the authoritative certificate issued by Ellume, which listed a affirmative trial effect for COVID-19. F-Secure posted the probe files for this experimentation connected Github.
Ken Gannon, a main information advisor successful F-Secure's New York City office, recovered the flaw that allows a atrocious histrion to alteration the results aft the Bluetooth analyzer performs the trial but earlier the results are reported by the app.
"Prior to Ellume's fixes, highly skilled individuals oregon organizations with cybersecurity expertise trying to circumvent nationalist wellness measures meant to curb COVID's spread, could've done truthful by replicating our findings," Gannon said successful a property release. "Someone with the due information and method skills could've utilized these flaws to guarantee they, oregon idiosyncratic they're moving with, gets a antagonistic effect each clip they're tested."
F-Secure contacted Ellume to explicate these findings earlier making a nationalist announcement and recommended that the institution instrumentality these steps:
- Implement further investigation of results to emblem spoofed data
- Implement further obfuscation and OS checks successful the Android app
Alan Fox, caput of accusation systems astatine Ellume, said successful a property merchandise that the institution has updated its strategy to observe and forestall the transmission of falsified results.
"We volition besides present a verification portal to let organizations — including wellness departments, employers, schools and others — to verify the authenticity of the Ellume COVID-19 Home Test," helium said. "We would similar to convey F-Secure for bringing this contented to our attention."
Ellume's location trial was approved by the FDA successful December 2020 and is 1 of the trial planetary travellers tin usage to amusement antagonistic trial results.