A now-fixed Bluetooth vulnerability in a home COVID-19 testing device could have been exploited to fake test results.
Security research firm WithSecure announced the news Thursday morning with Cue Health, the device vendor that patched the flaw. Ken Gannon, a researcher with the corporate-infosec arm of WithSecure, found that by eavesdropping on Bluetooth transmissions from Cue’s handheld reader device to its Android app, he could identify hexadecimal sequences that corresponded by test data, then rewrite them in a way the app accepted as legitimate.
“I was able to change my negative test result to a positive by intercepting and changing the data as it was transmitted from Cue’s reader to the mobile app on my phone,” Gannon says. “The process is basically the same for changing a positive result to negative, which could cause problems if someone who knows how to do what I did decides to start falsifying results.”
WithSecure says Cue “responded promptly” to close the vulnerability and did not know of any faked test results outside those Gannon reported.
“The reliability and security of our technology is of the utmost importance to our company and we appreciate the WithSecure team’s collaboration,” says Vimal Subramanian, VP of information security and privacy at Cue Health, in a statement.
A second technical document shared in advance by WithSecure (with documentation published on GitHub) says Cue’s fix involves server-side checks but also advises that Cue users update their mobile apps to the current version—1.7.2 for Android and 1.7.1 for iOS —which will then prompt them to update the Cue device’s firmware.
San Diego-based Cue’s system—promoted in a Super Bowl ad this March—consists of a $249 handheld reader that with a COVID-19 test cartridge (a three-pack sells for for $195) performs molecular nucleic acid amplification tests, a more sensitive check than the reagent rapid tests the government began giving away this winter.
Recommended by Our Editors
Cue says a “NAAT” test like those in its kit “combines the diagnostic accuracy of a central lab with the speed and convenience of an at-home test.”
Researchers have found that for checking somebody’s infectiousness, regular reagent testing works better. But cheap at-home tests don’t qualify under the Centers for Disease Control’s requirement that Americans test negative before flying home from outside the US; only professionally-run tests or app-assisted test kits will do.
This latest episode of problematic IoT security would have been one way to evade that requirement. But as I’ve realized over three transatlantic trips since last summer, most recently returning in early March from MWC Barcelona, check-in counter agents may not inspect PDFs of negative test results all that closely.
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.