Skip to content

10th January 2022

F-Secure researcher discovered and rectified weaknesses in the Ellume COVID-19 Home Test, increasing its integrity

The weaknesses could have allowed patients to fabricate a verifiable result in Ellume’s test, which has been approved for emergency use in the United States

By intercepting and changing Bluetooth traffic from the device before it reached the app, a security researcher was able to manipulate the findings of an at-home COVID test and get those results validated.
Ellume’s nasal swab test, which is supposed to analyse and transfer data to a companion app that displays and records the results, has a problem, according to the researcher Ken Gannon. Ellume has now corrected the problem, according to a press release from F-Secure, the security firm for which Gannon consults. Ellume is the first FDA-approved over-the-counter self-test kit. It’s developed in Australia and provides results in 20min.

Ken Gannon found and helped fix design flaws in Ellume’s COVID-19 Home Test.

The COVID-19 Home Test from Ellume is a self-administered antigen test that can be used to determine if someone has COVID-19. Instead of sending a sample to a lab, users collect a nasal sample with the test kit’s equipment, then test it with the Bluetooth analyser that comes with the kit. The analyser then uses Ellume’s Android or iOS app to send the results to the user and health authorities.
Ken Gannon, a security expert who specialises in mobile security, was intrigued by the Bluetooth analyser. He observed that results might be changed after the Bluetooth analyser completed the test but before the app published them.
Gannon and a coworker were also able to receive a proof of observation certificate for an altered outcome from the third-party video observation provider that Ellume’s website pointed them to. Observed testing to authenticate the identification of the test participant is described by Ellume as a prerequisite for some activities, including entry into the United States*.
“Our research involved changing a negative test result to positive, but the process works both ways. Prior to Ellume’s fixes, highly skilled individuals or organizations with cyber security expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings,” explained Gannon. “Someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.”
While Gannon was forced to look into Ellume’s test out of professional interest, he points out that other people or groups can take advantage of technological design defects in more destructive ways. Gannon informed Ellume of his discoveries, and the company quickly investigated and confirmed the issue, as well as implemented many modifications to avoid manipulation with test results.
About Med-Tech World:
It is now estimated that the global digital health market will increase to around $640 billion by 2026. Through our expertise coupled with optimised networking, we will ensure that both investors and startups are on the ground floor of this health revolution. The event which is organised and curated alongside a team of doctors, attracts legislators and policymakers, medical professionals, and investors from across the world, addresses the opportunities and challenges driving this million-dollar forum.