Connect with us


Flaws identified in COVID-19 home test

Avatar photo



A cyber security researcher identified, and helped fix, flaws in a COVID-19 home test that would have allowed users to falsify their results.

Ellume’s COVID-19 home test is a self-administered antigen test that has received emergency use authorisation in the US.

Instead of submitting a sample to a testing facility, users collect a nasal sample on their own using the test kit’s equipment, then test the sample using the included Bluetooth analyser.

The analyser then reports the result to the user and health authorities via Ellume’s Android or iOS app.

It was the Bluetooth analyser that caught the interest of Ken Gannon, a security consultant at F-Secure who specialises in mobile security.

He discovered it was possible to change results after the Bluetooth analyser performed the test but before they’re reported by the app.

Gannon and a colleague were able to obtain a proof of observation certificate for a changed result from the third-party video observation service they were directed to by Ellume’s website. Ellume said observed testing to verify the identity of the test subject was a requirement for some activities, including entry to the U.S.

Ken Gannon

Gannon said: “Our research involved changing a negative test result to positive, but the process works both ways.

“Prior to Ellume’s fixes, highly skilled individuals or organisations with cyber security expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings.

“Someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.”

Gannon shared his findings with Ellume, who promptly investigated and confirmed the problem and implemented several improvements to prevent tampering with the test results.

Alan Fox, head of information systems, Ellume said: “Ellume has updated its system to detect and prevent the transmission of falsified results. We will also deliver a verification portal to allow organisations, including health departments, employers, schools and others. to verify the authenticity of the Ellume COVID-19 Home Test.

“Our test is already one of the most secure on the market and thanks to F-Secure’s insights, it is now even more secure – particularly compared to currently available visually-read strip tests, which can be easily falsified simply by putting soda or water on the test without requiring any specialised skills.

“The security of our products is paramount, and Ellume is confident in the reliability of our test results. We would like to thank F-Secure for bringing this issue to our attention and for the work they do every day to protect consumers, businesses and organisations around the globe.

While Gannon was compelled to investigate Ellume’s test out of professional curiosity, he pointed out that other individuals or organisations can take advantage of design flaws in technology in ways that are more harmful.

“When security researchers look for problems in technology, we do it to challenge ourselves and the results are usually able to help other companies make their products safer to use.

“However, adversaries are also constantly looking for problems in technology that they can use to achieve other objectives.

“In this case, an adversary could’ve used these design flaws to circumvent public health measures intended to fight the COVID pandemic, so I’m happy that I was able to help Ellume improve the integrity of their tests.”

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending stories