Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

COVID tests are becoming more and more popular. As in the modern world, computer technology is being added to the tests. The Ellume COVID-19 Home Test was looked at in this case.

The analyzer itself was a custom board and a standard Lateral Flow test, with the custom board determining if the user was COVID positive or negative. The analyzer would then inform the companion mobile app if the user was COVID positive or negative.

The Android application had an un-exported activity. On a rooted device, this can be interacted with. This activity appeared to be for debugging the application from the developer side. From looking at this, the author of the post looked a bunch about the bluetooth communication.

There were two types of messages: STATUS and MEASUREMENT_CONTROL_DATA. From further reverse engineering, they found the data in each of the packets. The MEASUREMENT_CONTROL_DATA packet had line information, test ID, checksum, crc and many other values.

The STATUS packet had the status of the test (positive or negative), measurement count and some other information. This was found by looking at the classes in the decompiled Android application.

How does somebody go about attacking this though? Currently, the US government allows for Ellume to administrator COVID tests for events. Once the test has been taken, the phone application on a users device is used to demonstrate the result of the test.

At this point, a malicious user could use Frida to hijack the flow of the application to return the data from the test. Once the data has been changed and the CRC rewritten, a certificate with the fake information comes out.

To me, this flow is fundamentally flawed. If an attacker can store this information on their phone, then what stops them from making a completely altered version of the application? Or, even their own phone app? In my opinion, the test should hook up to a test administrators phone instead of the users.

To fix this problem, the authors told Ellume to implement further analysis to ensure that data spoofing is not possible. Additionally, obfuscation and OS checks on the Android app should be done. However, these are not true protections: they only slow attackers down. A redesign in usage would be required to fix this.