Researcher reveals that some at-home COVID-19 tests could be hacked using Bluetooth
A researcher has found that it is possible to hack one brand of at-home COVID-19 tests via Bluetooth. The flaw allowed the researcher, Ken Gannon, to modify his test result from negative to positive. Though he did not trial it, Gannon believes he could also have amended the result the other way. The weakness which allowed the hack has now been fixed.
The problem was found in an Ellume COVID-19 Home Test. The Ellume test allows you to test yourself for COVID-19 antigens at home, with the result shared via Bluetooth to an app installed on your phone. After 15 minutes, the results are shared with the user on the app and can then be passed to the relevant health authorities. Ellume at-home tests are CDC approved for re-entry to the US after international travel.
Gannon, who works for F-Secure, purposefully searched for faults in the Ellume test. He realized that the Bluetooth element of the test could be breached, allowing him to alter the test result and thus change the data reported to the authorities.
To analyze the Ellume test, Gannon used a custom board and a standard lateral flow test; the custom board was used to determine the test result, checking if two lines appeared. This device would then communicate with the app to log the outcome of the test. F-secure found that it could modify the “test status” in the two types of Bluetooth traffic between the lateral flow test and the app to fake the result.
On discovering the weakness, F-Secure reported its findings to Ellume. Ellume has since stated that it has updated its system to ensure that falsified results can be detected and prevented from being transmitted.