F-Secure researcher helps improve integrity of Ellume COVID-19 Home Test

Researcher finds and helps fix flaws that would’ve allowed someone to change results in test that has emergency use authorization in the US.

Helsinki, Finland – December 21, 2021: A researcher with cyber security provider F-Secure has found and helped fix design flaws in Ellume’s COVID-19 Home Test. The flaws would have allowed an individual to falsify a certifiable result in Ellume’s test, which has received emergency use authorization in the US.

Ellume’s COVID-19 Home Test is a self-administered antigen test that individuals can use to check to see if they have COVID-19. Instead of submitting a sample to a testing facility, users collect a nasal sample on their own using the test kit’s equipment, then test the sample using the included Bluetooth analyzer. The analyzer then reports the result to the user and health authorities via Ellume’s Android or iOS app.

It was the Bluetooth analyzer that caught the interest of security consultant Ken Gannon, who specializes in mobile security. He discovered it was possible to change results after the Bluetooth analyzer performed the test but before they’re reported by the app.

Furthermore, Gannon and a colleague were able to obtain a proof of observation certificate for a changed result from the third-party video observation service they were directed to by Ellume’s website. Ellume describes observed testing to verify the identity of the test subject as a requirement for some activities, including entry to the U.S.*

“Our research involved changing a negative test result to positive, but the process works both ways. Prior to Ellume’s fixes, highly skilled individuals or organizations with cyber security expertise trying to circumvent public health measures meant to curb COVID’s spread, could’ve done so by replicating our findings,” explained Gannon. “Someone with the proper motivation and technical skills could’ve used these flaws to ensure they, or someone they’re working with, gets a negative result every time they’re tested.”

Ken Gannon

Gannon shared his findings with Ellume, who promptly investigated and confirmed the problem and implemented several improvements to prevent tampering with the test results.

“Ellume has updated our system to detect and prevent the transmission of falsified results. In addition, we have analyzed all results to-date and confirmed no other results were impacted. We will also deliver a verification portal to allow authorities – including health departments, employers, schools, event organizers and others – to verify the authenticity of the Ellume COVID-19 Home Test,” said Alan Fox, Head of Information Systems, Ellume.

“Our test is already one of the most secure on the market and thanks to F-Secure’s insights, our ECHT is now even more secure – particularly compared to currently available non-digital tests, which can be easily falsified simply by putting soda or water on the test without requiring any specialized skills. Ellume is confident in the reliability of our ECHT test result, and we would like to thank F-Secure for bringing this issue to our attention and for the work they do every day to protect consumers, businesses and organizations around the globe,” continued Fox.

While Gannon was compelled to investigate Ellume’s test out of professional curiosity, he points out that other individuals or organizations can take advantage of design flaws in technology in ways that are more harmful.

“When security researchers look for problems in technology, we do it to challenge ourselves and the results are usually able to help other companies make their products safer to use. However, adversaries are also constantly looking for problems in technology that they can use to achieve other objectives. In this case, an adversary could’ve used these design flaws to circumvent public health measures intended to fight the COVID pandemic, so I’m happy that I was able to help Ellume improve the integrity of their tests,” explained Gannon.

A write-up of Gannon’s research is available on F-Secure Labs: https://labs.f-secure.com/blog/faking-a-positive-covid-test.

*Source: https://www.ellumecovidtest.com/travel

About F-Secure

F-Secure makes every digital moment more secure, for everyone. We deliver brilliantly simple, frictionless security experiences that make life easier for the tens of millions of people we protect and our 170 service provider partners. For more than 30 years, we’ve led the cyber security industry, inspired by a pioneering spirit born out of a shared commitment to do better by working together.

f-secure.com | twitter.com/fsecure | linkedin.com/f-secure

F-Secure media relations

Adam Pilkey

PR Content Manager

+358 40 637 8859

Press list

Sign up for media information from F-Secure.

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.

Press archive

By year

Browse through our news by year.

By category

Browse through our news by category.