At a time when President Biden is preparing to make at-home Covid tests available to more Americans, a security researcher has discovered a flaw that could allow someone to change the results in one such test that has been granted emergency use authorization in the US.
While there are now a number of at-home Covid-19 tests available, Elume offers a self-administered antigen test that individuals can use to check to see if they've contracted the virus. Instead of submitting a sample to a testing facility, the company's testing kit allows users to collect their own nasal sample and then test it using the included Bluetooth analyzer.
The Bluetooth analyzer, which reports a user's test result to them as well as to health authorities using Elume's mobile app, caught the attention of F-Secure security consultant Ken Gannon who specializes in mobile security.
During his investigation, Gannon found that it was possible to exploit a bug in the Bluetooth analyzer to change the results of a Covid test before they were reported to Ellume's app. Additionally, Gannon and a colleague were able to obtain a proof of observation certificate for a changed result from a third-party video observation service they were directed to by the company's website.
Falsifying Covid test results
After discovering that he could falsify the results of Ellume's at-home Covid tests, Gannon shared his findings with the company which launched an investigation, confirmed the problem and implemented several improvements to its tests to prevent users from tampering with their results.
Gannon provided further insight on his discovery and how it could be abused by those looking to secure a negative Covid test every time in a press release, saying:
“Our research involved changing a negative test result to positive, but the process works both ways. Prior to Ellume’s fixes, highly skilled individuals or organizations with cyber security expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings. Someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.”
Although Gannon first decided to investigate the Bluetooth analyzer used in Ellume's at-home Covid test out of curiosity, he pointed out that other individuals or organizations can leverage similar security flaws to circumvent public health measures. Thankfully though, Eludme's at-home Covid tests are now even more secure thanks to Gannon's discovery and the fact that he responsibly disclosed his findings to the company.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.