At-home COVID-19 tests might not be as trustworthy as you’d hope — not in the hands of a committed hacker, at least. As The Vergenotes, F-Secure researcher Ken Gannon discovered a since-patched security flaw in Ellume’s Bluetooth-connected nasal swab test that let him change the reported results. The vulnerability was complicated, but still disconcerting.
Gannon used a rooted Android device to inspect the Bluetooth traffic Ellume’s lateral flow tester was sending to the company’s mobile app. The researcher pinpointed the traffic used to indicate test results, and wrote scripts to change the outcome. F-Secure Marketing Manager Alexandra Rinehimer even managed to fool Azova, a company issuing certificates for US entry tests, when it supervised her test.
Ellume has made it harder to study and modify the data, and it’s not clear iPhone or iPad users could replicate the same feat. The company is also building a portal to help officials verify at-home tests, and has determined that all previous tests were authentic.
Even so, the findings raise concerns about people using other flaws (including for other tests) to falsify their COVID-19 results. Someone with enough know-how could flip results negative to re-enter the US or a particular workplace while infected. Although the effort currently involved makes that fraud unlikely on a large scale, it wouldn’t take many bogus results to lead to outbreaks.