A serious security flaw was discovered in a COVID-19 test, sold by the Ellume company and which allows the test results to be modified so that it is always negative.
This antigen test is homemade, is purchased in pharmacies and can be performed by any user. The test analyzes a sample using a Bluetooth device, which in turn sends the results to the corresponding application on the phone and also to the health authorities.
The problem is that, with some technical expertise, that sample analyzer can be compromised so that the test result is negative (or vice versa). Ken Gannon, a security researcher at the firm F-Secure, analyzed the data sent by the device to the phone through the Bluetooth connection and by using a small script code, it is possible to change the test result.
According to Ken Gannon, this security flaw is potentially dangerous since it is possible to make all tests always return negative results, which carries greater health risks in the midst of a pandemic.
Fortunately, this vulnerability was recognized by Ellume and patched in time, so the current tests on sale are safe in that regard.
However, the correction patch did not only mean applying an update to the firmware of the device, but also notifying all the corresponding authorities of the situation. The company assures that today the tests are completely reliable and also appreciated the collaboration provided by F-Secure, since the results of the investigation were delivered to them before they were made public.