The image is called "chorus image" and is on thecdn.vox-cdn.com.
Researchers were able to exploit the test.
The image is Ellume.
A security researcher was able to change the results of an at- home COVID test and get them certified by intercepting and modifying the traffic from the device before it reached the app. The flaw in Ellume's test was found by Ken Gannon, a researcher. Ellume has fixed the issue, according to a press release from F-Secure.
F-Secure says that the researcher used a rooted device to tap into the data the tester was sending to the app. From there, he was able to determine how the results were sent. He wrote two scripts that were able to change a negative result into a positive one. He says that the email he got with his results was incorrect. You can read the writeup about the technical details.
Ellume says it followed recommendations to make this type of exploit harder.
Ellume made changes to the app that should make it harder to analyze its data or take over the data transmission, after following F-Secure's recommendations to do more analysis to ensure that data was accurate. The goal of his research was to see if an average person can fake a positive/negative COVID test, and he didn't test to see if his research was applicable to theiOS version of the app. He said that, in theory, a threat actor could modify the Ellume app to always report a positive or negative result, which could be installed on a non-rooted phone.
The process works both ways, he says in F-Secure's press release. Someone with the proper motivation and technical skills could have used the flaws to ensure that someone got a negative result every time they were tested.
A fake certification could be submitted to meet US re-entry requirements. F-Secure was able to get an incorrect result certified without a video test supervisor being able to detect it.
The press release states that Ellume is working on a verification portal that will allow authorities to verify that its at- home tests are authentic, and that it has gone back to analyze all its previous results for accuracy. Ellume found that none of them had been faked.
