back to article Of course a Bluetooth-using home COVID test was cracked to fake results

Security vendor F-Secure has faked a COVID test result on a Bluetooth-equipped home COVID Test. Thankfully the vendor’s since fixed the device. The firm tested the Ellume COVID-19 Home Test, a device selected specifically because it uses a “Bluetooth connected analyzer for use with an app on your phone.” As F-Secure probed …

  1. T. F. M. Reader Silver badge

    BluetoothDebugActivity ?

    Keeping debug infrastructure in production is one of the more common ways to create security holes, innit?

    1. Martin Gregorie

      Re: BluetoothDebugActivity ?

      I'd think that depends on what the debugging code does. If it just shows the function execution sequence plus values of a few variables that select execution paths and isn't normally enabled in a production environment, then its not likely to be particularly harmful, provided that debugging activation is restricted to system supervisor level personnel and their supervisory programs.

      Any harm the above enables can be further minimised if debugging output is written to a circular buffer, sized to accommodate only the tracing output associated with a single exception and where the buffer content is only ever written to a logfile when an exception occurs.

    2. sad_loser

      Re: BluetoothDebugActivity ?

      But more than that, this is a device that is being sold that is making a medical claim. Performs / interprets / sends a medical test

      Therefore falls under ISO13485, 27001, and sound like must fail both.

      In the U.K. and Europe:

      Failure to comply = unlimited fines+ criminal prosecution

      Fill your boots!

      Medical IT is, along with aerospace, military and critical infrastructure the most tightly regulated and you don’t want to play unless you really know what you are doing.

      1. iron Silver badge

        Re: BluetoothDebugActivity ?

        Elisabeth Holmes and Theranos would beg to differ.

        She is in court now but for years she claimed things her test devices couldn't do, faked reports from Pfizer and others, claimed use by the US military and provided patients with fake data that was completely wrong. She was only stopped because she ripped off a bunch of rich old men for lots of money.

        Apparently if you're pretty and blonde medical IT has no more regulatory burdens than any other form of IT.

        1. katrinab Silver badge

          Re: BluetoothDebugActivity ?

          Given that she's on trial at the moment, maybe not.

        2. Clausewitz 4.0 Bronze badge
          Devil

          Re: BluetoothDebugActivity ?

          Everybody has weakness.. pretty and blonde, I can assure you lots of military personnel will fall for it.

        3. Charlie Clark Silver badge

          Re: BluetoothDebugActivity ?

          Fake it till you make it is just as true for medical products as it is for any other industry in the US. Theranos is high profile but the practices of Big Pharma are, in their own way, even more shocking and on a far bigger scale, eg. Purdue's approach to opioids, though it was far from alone in this. The lesson is: if your lobby is big enough, all you need to worry about is the size of the fine.

    3. badflorist Bronze badge

      Re: BluetoothDebugActivity ?

      "Do they store all original results somewhere else..."

      Sure, and right now somewhere, someone is adjusting your future health insurance premiums accordingly to these results. Of course they'll have to increase your premiums no matter what, because after all, even if you're "negative" there's a cost for running these tests. This is exactly why this company and others have been incentivized to build an "app".

  2. Jimmy2Cows Silver badge

    Bit of a leap...

    ...we have analyzed all results to-date and confirmed no other results were impacted...

    How would they know this?

    Do they store all original results somewhere else that can be interogated against the received data? I call BS. A huge steaming pile. Either Alan Fox, Ellume's head of information systems, is lying, or he's been fed some technical word salad by an arse-covering subordinate and doesn't have the appropriate understanding to say "You know what...? That's bollocks mate."

    1. Blazde

      Re: Bit of a leap...

      Price $26.10 (Walmart) says it's mostly bare-faced lie.

      Ridiculously easy to 'crack' by having somebody else who's negative use the swab, which in some circumstances is going to be even easier than acquiring soda or water.

      Nothing obvious in the way of physical tamper-resistance for the reader inside either (but why would there be considering the above): https://www.youtube.com/watch?v=UvArprBmdFA

      However you can see there is some kind of detailed optical recording of the flow process, and perhaps at least some of that data is uploaded for scrutiny by 'AI' (hah) or manually. Obviously that failed to detect F-Secure's simple status flip proactively so it's not worth much, but they may feel it gives them the ability to detect similar cracks after the fact, which is then the basis for issuing optimistic-sounding bullshit like they've done here.

      In essence it's no more secure than uploading a picture of your $5 lateral flow test.

      1. EnviableOne Silver badge

        Re: Bit of a leap...

        The UK lateral flow reporting is easier to fake, you just tick the box on the website that says negative rather than the one that says positive, and throw the strip in the bin.

        1. Jellied Eel Silver badge

          Re: Bit of a leap...

          Anyone got one of these gizmos? Kinda curious how it works, and if it's just an optical sensor slapped onto a regular LFT strip. Did find the FDA's recall notice for false positives though.

          1. Blazde

            Re: Bit of a leap...

            There's a tear-down in the link I gave above. Higher false positives than virtually any other lateral flow test so I think their optical reader was failing sometimes rather than the assay pad itself.

        2. Blazde

          Re: Bit of a leap...

          "The UK lateral flow reporting is easier to fake, you just tick the box on the website that says negative rather than the one that says positive, and throw the strip in the bin."

          Or tick the box that says positive and get 10 days off work/school.

          I think the idea is as long as the system encourages(*) you to actually have a test in your hand with an ID then the majority of people are going to go ahead and do their test out of curiosity, report and act on it honestly. It's secure against casual laziness which seems a good security/usability/cost compromise to me.

          (*) Apparently the IDs could be made-up but hopefully there's some kind of checksum digits so that's not completely trivial. The codes are probably not long enough.

          Making it marginally harder to fake might have some value in zero-Covid countries like Australia before the autumn. Maybe why this $25 single-use electronic trash was designed there.

          1. Ian Johnston Silver badge

            Re: Bit of a leap...

            Or tick the box that says positive and get 10 days off work/school.

            Apparently it didn't take school children long to find that a couple of drops of orange juice gave (a) a convincing positive test result and (b) ten days off school.

            1. Anonymous Coward
              Anonymous Coward

              Re: Bit of a leap...

              Or anti-vaxxers/Covidiots using LFTs to prove there is Covid in the water supply.

              Not following the test protocol is the most common way to invalidate a test.

  3. Version 1.0 Silver badge
    Joke

    What's an "App"

    It always seems to stand for A programming problem. I've added the joke icon because it's a joke that this is a joke - LOL - Merry Christmas everyone!

    1. DarkLordofSurrey

      Re: What's an "App"

      and an Appy New Year..

  4. cornetman Silver badge

    Nice to see such a positive reaction to a security concern being raised and a willingness to work with them to improve security.

    Wish we could see more of this in the device realm.

  5. Robert Carnegie Silver badge

    If this id the ECHT product, what is the ERSATZ version like? Two tin cans joined with string?

  6. Anonymous Coward
    Anonymous Coward

    Ah.....smartphone + app + bluetooth + internet......what could possibly go wrong?

    .....compared, say, with going to an accredited test centre and getting tested?

    *

    1. Test centre: authentication is less likely to be faked; test result is probably impossible to fake

    2. Ellume COVID-19 Home Test: authentication - none; test result -- your mileage will vary!

    *

    Why am I NOT surprised (again) that technology is NOT the answer!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah.....smartphone + app + bluetooth + internet......what could possibly go wrong?

      "test result is probably impossible to fake"

      PCR tests have been given false negatives by incompetent test labs.

  7. Anonymous Coward
    Anonymous Coward

    I bet the test results are logged using log4j too.

  8. AndyFl

    A story where the manufacturer responds reasonably to a (in)security report

    Most software stuff has bugs, at least this wasn't a gaping hole in the system as it required a fairly high level of skill to exploit.

    The great thing was they didn't shoot the messenger.

  9. Ace2 Silver badge

    What is the point?

    This is meant to be some sort of authentication of the test results?

    If you want to be sure it’s negative so you can go on holiday, just get the dog to lick the test strip. Voilà!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like