First up in today’s roundup of cybersecurity tech news: a plot twist that will surprise

absolutely no one, a bluetooth covid test kit has been discovered to be hackable, this

is concrete proof that not everything needs to be computerised for the sake of it.

The “ellume covid-19 home test” is a super fancy testing kit, the idea is you do the

test as you would any other covid test by ramming a rod up your nose, then squeezing

a sample of your nostril juice onto the test pad.

However this thing isn’t going to give you your result on the test itself, you know the

two lines we’ve all become familiar with - instead it connects to your phone via bluetooth,

and then your phone tells you whether you’re positive or negative via an app.

We’ll get to it’s hackability in a moment.

But the more I researched into this thing the more I became just shocked and confused

at how ridiculous and pointless this whole device even is.

The signal path did a tear down video on it which I’ll link below.

It turns out this thing has a standard covid test strip inside of it, the one that produces

those two lines.

Then it uses some fancy optics and LEDs to read those two lines, before it transmits

the result to the app over bluetooth.

Oh and it’s single use so once it’s been used you just chuck it away, there’s no

way to switch out the test strip.

So if I’ve understood this right, all this does, is look at the lines for you, determines

whether there’s two of them and tells you via an app.

Then because it can only be used once you throw it away, you know the thing you just

spent $26 on.

I can’t help but feel I’m ranting at this point, but unless I’m missing something,

I just find this comically pointless.

Anyhow, the hackability that’s why you’re here, by introducing all the technical overheads

a device like this needs, ellume has accidentally introduced a bunch of things that can go wrong.

Cybersecurity company F-secure discovered that the developers forgot to remove some

handy debug features from the app before publishing it.

With a rooted Android phone they were able to modify certain variables as well as a checksum

in the test result before it was processed via the app.

They decided to test this method on their “Marketing manager” who was covid negative

at the time.

Using their hacks they were able to produce a fake positive covid result, but they could’ve

made the result negative if the person was in reality positive.

But hang on a second, this test result looks rather official, surely results from this

widget weren’t being accepted as proof of covid status to enter the US?

Erm, well they were kinda.

But with a catch, if you wanted an official certificate like this one, you had to pay

$20 to schedule a video call to have someone watch you take the test to make sure you weren’t

having someone else take the test for you or something like that, but of course the

person watching you can’t tell whether the app itself has been hacked.

To make matters worse, these tests were actually recalled a few months ago for unrelated reasons

- it turns out they were producing a high number of false positives.

Why exactly I can’t be sure, but I would guess it had nothing to do with the actual

test strip, and something more to do with all the overhead of having optics to read

a couple of lines.

The irony of sticking a bunch of electronics in a covid test to produce a device that seems

to be worse than a bare test strip whilst also being an order of magnitude more expensive

I find hilarious.

Let me know in the comments, is there something I’m missing here?

Or is this just as ridiculous as it seems?

Usually cyber scams aren’t very clever.

Whether the plan is to trick a user into enabling macros on an excel spreadsheet or luring someone

with the promise of free discord nitro - scams usually rely on a mix of technical illiteracy,

and falling for something that’s just too good to be true.

However this next scam is ingenious whilst being remarkably simple.

Scammers have been putting QR codes on parking meters in an attempt to trick people into

giving them money instead of paying for their actual ticket.

How this works kinda speaks for itself, in the dead of night someone goes round putting

stickers on parking meters which tell people to scan the QR code to pay for their parking,

in this case if they did, they were redirected to this site “passportlab.xyz”, which

prompts you to log in and give the scammers your card details.

The FBI has put out a PSA advising people to be wary of QR codes.

If I’m being honest, I don’t think I’d put a QR code under as much scrutiny as I

would a link in an email, even though they are essentially both links.

I receive phishing emails all the time, cybercriminals are always out to hack youtube channels and

turn them into elon musk crypto scam pages.

But anyway, when an email has a link I reckon I employ a good amount of caution before clicking

it.

But if I’m outside, you know - in the real world, and I have to scan a QR code to pay

for a ticket, or to check the bus schedule or something seemingly benign, I really don’t

think I’d be as careful as if I was clicking a link in an email.

Now I definitely will though, and you should too.

A VPN company has been shut down in a joint operation with various law enforcement agencies

worldwide.

Now VPNs aren’t illegal in of themselves, but this VPN company was slightly different

in that they “advertised [their services] on the dark web” to cybercriminals as a

way to stay hidden when doing things that they probably shouldn’t.

The fact that cybercriminals will happily use services like VPNs which are directly

marketed to them just never ceases to amaze me.

It’s not a smart move for a miscreant to outsource their opsec to a company which is

known for providing VPNs to criminals.

That’s like trying to hide a sandwich from a seagull by putting it in a hamper full of

food.

It might work for a while, but you’re just giving the seagulls more of a reason to find

a way into the box of treats.

The seagulls in this case being the authorities and the sandwich being all the juicy data

VPNLab has on their customers, and funnily enough a notice on the now seized domain says

that authorities have “seized the customer data stored within” - so no doubt this data

is going to lead to other investigations.

I couldn’t help but notice that they’ve edited the VPNLab logo to make it look like

it’s on fire and falling apart, this is new, I haven’t seen this before on seizure

pages.

Part of me thinks they got someone on fiverr to make this edit - but however they did it,

it is a nice touch to a landing page that is otherwise slightly boring.

This isn’t the first VPN company to be taken down, a site called doubleVPN was pwned last

year also for catering to criminals.

But interestingly when it comes to the VPNLab takedown, no arrests have yet been made, it’s

only the infrastructure here that’s been seized.

This video is sponsored by Linode, who are giving you $100 worth of free cloud computing.

Linode is a totally customisable cloud hosting platform - whether you’re looking to quickly

spin up a VPN, website or host a kubernetes cluster - Linode has you covered.

If it runs on linux it’ll run on linode.

Linode just announced availability of their NVME block storage, the first alternative

cloud provider to officially support this state of the art hardware.

Linode’s philosophy is to focus on providing all the tools a developer really needs at

competitive prices.

Use the link in the description now to claim your free $100.

Thanks for watching, let’s see if we can hack the youtube AI by tickling the like button,

follow me on the instagrams for behind the scenes stuff, and I’ll see you in the next

video, have a good one.