Study: Flaw Allowed Faked Results in COVID-19 Home TestsExperts Say Other IoT Medical Products Face Similar Potential Problems
A flaw in a Bluetooth-enabled at-home COVID-19 test, which has since been fixed, would have allowed individuals to change test results from positive to negative, and vice versa - even while being supervised remotely by a third party while taking the test, says a report by the security researcher who discovered the problem.
Insufficient verification of data authenticity flaws discovered by Ken Gannon, a researcher at cybersecurity firm F-Secure, would have allowed an individual to falsify a certifiable result in the Ellume COVID-19 Home Test, says the report, which was issued on Tuesday. Ellume is a Brisbane, Australia-based digital medical diagnostics company with U.S. operations based in Frederick, Maryland.
Ellume’s COVID-19 Home Test is a self-administered antigen test that individuals can use to see if they have COVID-19. Users collect a nasal sample on their own using the test kit’s equipment and then test the sample using the included Bluetooth analyzer. The analyzer then reports the result to the user and health authorities via Ellume’s Android or iOS app, F-Secure says.
The F-Secure report says Gannon discovered it was possible to change the Ellume COVID-19 test results after the device's Bluetooth analyzer had performed the test, but before the results were reported by the app to health authorities.
Gannon and a colleague also were able to obtain a "proof of observation" certificate for the changed result from Azova, the third-party video observation service that consumers are directed to by Ellume’s website for the test.
Ellume says observed testing to verify the identity of the test subject is a requirement for some activities, including entry to the U.S., F-Secure says.
Ellume's website says that its COVID-19 Home Test "complies with the Centers for Disease Prevention and Control reporting requirement and automatically reports the required data to health authorities through [a] secure encrypted, HIPAA-compliant cloud connection."
In a statement to Information Security Media Group, Gannon says that a test taker schedules a video call with Azova, which uses either the test taker's computer webcam or their mobile device’s camera. The test is taken with an Azova representative observing the test taker to ensure that the test is being taken properly, he says.
The Ellume COVID-19 At Home Test features a Bluetooth analyzer, which is a custom board and a standard lateral flow test, and the custom board determines if a user's test result is positive or negative, the F-Secure report says.
It says the determination is based on what the two lines on the lateral flow test strip looks like, and the analyzer then informs the companion mobile app if the user's result was positive or negative.
Gannon writes in the report that Ellume's "Android application contained an un-exported activity called 'com.ellumehealth.homecovid.android/com.gsk.itreat.activities.BluetoothDebugActivity'. If you have root level access to your device, you can launch this activity to help interact with the analyzer over Bluetooth.
"Using this activity, F-Secure deduced that there were two types of Bluetooth traffic that were most likely in charge of informing the mobile app if the user was COVID positive or negative, 'STATUS' and 'MEASUREMENT_CONTROL_DATA.'"
F-Secure determined that by changing only the byte value representing the "status of the test" in both STATUS and MEASUREMENT_CONTROL_DATA traffic, followed by calculating new CRC and checksum values, it was possible to alter the COVID test result before the Ellume app processed the data, Gannon says.
“Our research involved changing a negative test result to positive, but the process works both ways," according to the report.
Gannon notified Ellume of his findings, and the company promptly investigated, confirmed the issues and implemented several improvements to prevent tampering with the test results, F-Secure says.
But prior to Ellume’s fixes, Gannon says in an F-Secure statement, "highly skilled individuals or organizations with cybersecurity expertise trying to circumvent public health measures meant to curb COVID’s spread could’ve done so by replicating our findings. Someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested."
The Ellume COVID-19 Home Test received emergency use authorization from the Food and Drug Administration in December 2020.
An Ellume spokeswoman tells ISMG that the design flaw discovered by F-Secure is unrelated to the October recall of some COVID-19 Home Tests.
In a statement to ISMG, the FDA says Ellume's product recall was related to a manufacturing issue affecting certain lots. "The FDA is working with Ellume to assess the company’s corrective actions, such as additional manufacturing checks and other corrective steps, to address the reason for the manufacturing issue, and to help ensure that it is resolved and will not recur."
F-Secure says it made recommendations to Ellume for addressing the design flaw, including implementing further analysis of results to flag spoofed data and implementing additional obfuscation and operating system checks in the Android app.
In a statement provided to ISMG, Ellume says it has implemented updates to its system to detect and prevent the transmission of falsified results to health authorities.
"In addition, we have analyzed all results to date and confirmed no other results were impacted. We will also deliver a verification portal to allow authorities - including health departments, employers, schools, event organizers and others - to verify the authenticity of the Ellume COVID-19 Home Test,” said Alan Fox, head of information systems at Ellume.
“Ellume is confident in the reliability of our ECHT test result, and we would like to thank F-Secure for bringing this issue to our attention," he said.
Azova did not immediately respond to ISMG's request for comment on the F-Secure report findings.
Some experts say the issue highlights potential security risks involving other IoT devices, health apps and similar products potentially affecting their data integrity, accuracy and, ultimately, patient safety. And Gannon tells ISMG it is possible that other IoT health products contain flaws similar to what he found in the Ellume test.
It could affect "any device or application that has input for making decisions or actions, where a wrong outcome could affect patient safety, says Benjamin Denkers, chief innovation officer at privacy and security consulting firm CynergisTek, which was not involved in the study.
Denkers says manufacturers of similar consumer-oriented medical testing and IoT products can take steps to enhance the security of their products before they hit the market.
"Utilizing threat modeling and penetration testing and doing secure code reviews certainly helps manufacturers identify these types of vulnerabilities, Denkers says.
"Ensuring the organization has a robust security program as part of their software development life cycle process, goes a long way in helping to identify and preventing vulnerabilities prior to production."
"Bluetooth can be a commonly overlooked attack vector and is often vulnerable to various attacks," he says.