"F-Secure Uses Flaw in At-Home COVID-19 Test To Fake Results"

Security researchers at F-Secure identified a vulnerability in a home test for COVID-19. The exploitation of this flaw could allow a malicious actor to alter test results, changing them from positive to negative or vice versa. According to the researchers, it is possible to manipulate the Ellume COVID-19 Home Test via the Bluetooth device that analyzes the nasal sample and communicates with the app to report the test results. The researchers determined that the COVID-19 test result could be changed before the Ellume app processes the data by altering only the byte value representing the status of the test in two different types of traffic called STATUS and MEASUREMENT_CONTROL_DATA, and then calculating new Cyclic Redundancy Check (CRC) and checksum values. They were able to change a negative test to positive through the exploitation of the vulnerability. The flaw, now fixed by Ellume, could have been used by highly skilled individuals or organizations with cybersecurity expertise in an attempt to evade public health measures meant to help prevent the spread of COVID-19. For example, a skilled threat actor could have used the flaw to ensure that an individual gets a negative result every time they are tested. Ellume has been advised to conduct further analysis of results to flag spoofed data, implement extra obfuscation checks in the Android app, and more. This article continues to discuss the discovery of a Bluetooth vulnerability in Ellume's at-home COVID-19 test and how the company responded to this finding.

TechRepublic reports "F-Secure Uses Flaw in At-Home COVID-19 Test To Fake Results"