Keeping debug infrastructure in production is one of the more common ways to create security holes, innit?
Security vendor F-Secure has faked a COVID test result on a Bluetooth-equipped home COVID Test. Thankfully the vendor’s since fixed the device. The firm tested the Ellume COVID-19 Home Test, a device selected specifically because it uses a “Bluetooth connected analyzer for use with an app on your phone.” As F-Secure probed …
I'd think that depends on what the debugging code does. If it just shows the function execution sequence plus values of a few variables that select execution paths and isn't normally enabled in a production environment, then its not likely to be particularly harmful, provided that debugging activation is restricted to system supervisor level personnel and their supervisory programs.
Any harm the above enables can be further minimised if debugging output is written to a circular buffer, sized to accommodate only the tracing output associated with a single exception and where the buffer content is only ever written to a logfile when an exception occurs.
But more than that, this is a device that is being sold that is making a medical claim. Performs / interprets / sends a medical test
Therefore falls under ISO13485, 27001, and sound like must fail both.
In the U.K. and Europe:
Failure to comply = unlimited fines+ criminal prosecution
Fill your boots!
Medical IT is, along with aerospace, military and critical infrastructure the most tightly regulated and you don’t want to play unless you really know what you are doing.
Elisabeth Holmes and Theranos would beg to differ.
She is in court now but for years she claimed things her test devices couldn't do, faked reports from Pfizer and others, claimed use by the US military and provided patients with fake data that was completely wrong. She was only stopped because she ripped off a bunch of rich old men for lots of money.
Apparently if you're pretty and blonde medical IT has no more regulatory burdens than any other form of IT.
Fake it till you make it is just as true for medical products as it is for any other industry in the US. Theranos is high profile but the practices of Big Pharma are, in their own way, even more shocking and on a far bigger scale, eg. Purdue's approach to opioids, though it was far from alone in this. The lesson is: if your lobby is big enough, all you need to worry about is the size of the fine.
"Do they store all original results somewhere else..."
Sure, and right now somewhere, someone is adjusting your future health insurance premiums accordingly to these results. Of course they'll have to increase your premiums no matter what, because after all, even if you're "negative" there's a cost for running these tests. This is exactly why this company and others have been incentivized to build an "app".
...we have analyzed all results to-date and confirmed no other results were impacted...
How would they know this?
Do they store all original results somewhere else that can be interogated against the received data? I call BS. A huge steaming pile. Either Alan Fox, Ellume's head of information systems, is lying, or he's been fed some technical word salad by an arse-covering subordinate and doesn't have the appropriate understanding to say "You know what...? That's bollocks mate."
Price $26.10 (Walmart) says it's mostly bare-faced lie.
Ridiculously easy to 'crack' by having somebody else who's negative use the swab, which in some circumstances is going to be even easier than acquiring soda or water.
Nothing obvious in the way of physical tamper-resistance for the reader inside either (but why would there be considering the above): https://www.youtube.com/watch?v=UvArprBmdFA
However you can see there is some kind of detailed optical recording of the flow process, and perhaps at least some of that data is uploaded for scrutiny by 'AI' (hah) or manually. Obviously that failed to detect F-Secure's simple status flip proactively so it's not worth much, but they may feel it gives them the ability to detect similar cracks after the fact, which is then the basis for issuing optimistic-sounding bullshit like they've done here.
In essence it's no more secure than uploading a picture of your $5 lateral flow test.
"The UK lateral flow reporting is easier to fake, you just tick the box on the website that says negative rather than the one that says positive, and throw the strip in the bin."
Or tick the box that says positive and get 10 days off work/school.
I think the idea is as long as the system encourages(*) you to actually have a test in your hand with an ID then the majority of people are going to go ahead and do their test out of curiosity, report and act on it honestly. It's secure against casual laziness which seems a good security/usability/cost compromise to me.
(*) Apparently the IDs could be made-up but hopefully there's some kind of checksum digits so that's not completely trivial. The codes are probably not long enough.
Making it marginally harder to fake might have some value in zero-Covid countries like Australia before the autumn. Maybe why this $25 single-use electronic trash was designed there.
.....compared, say, with going to an accredited test centre and getting tested?
1. Test centre: authentication is less likely to be faked; test result is probably impossible to fake
2. Ellume COVID-19 Home Test: authentication - none; test result -- your mileage will vary!
Why am I NOT surprised (again) that technology is NOT the answer!!