Flaw in COVID-19 Testing Gadget Could’ve Been Exploited to Change Results

A now-preset Bluetooth vulnerability in a household COVID-19 tests gadget could have been exploited to faux exam success.

Stability study organization WithSecure announced the information Thursday morning with Cue Health and fitness, the gadget seller that patched the flaw. Ken Gannon, a researcher with the corporate-infosec arm of WithSecure, uncovered that by eavesdropping on Bluetooth transmissions from Cue’s handheld reader gadget to its Android application, he could detect hexadecimal sequences that corresponded by test data, then rewrite them in a way the app recognized as legit. 

“I was able to modify my damaging exam result to a favourable by intercepting and shifting the details as it was transmitted from Cue’s reader to the mobile application on my cellphone,” Gannon says. “The method is in essence the exact same for switching a good consequence to negative, which could lead to difficulties if somebody who is aware of how to do what I did decides to start out falsifying effects.”

cue health reader

WithSecure suggests Cue “responded promptly” to close the vulnerability and did not know of any faked exam final results exterior these Gannon noted.

“The trustworthiness and security of our technological innovation is of the utmost great importance to our organization and we appreciate the WithSecure team’s collaboration,” states Vimal Subramanian, VP of information and facts stability and privacy at Cue Health and fitness, in a assertion.

A second technological document shared in advance by WithSecure (with documentation released on GitHub) suggests Cue’s fix requires server-side checks but also advises that Cue end users update their mobile apps to the present version—1.7.2 for Android and 1.7.1 for iOS—which will then prompt them to update the Cue device’s firmware.

San Diego-based mostly Cue’s system—promoted in a Super Bowl advert this March—consists of a $249 handheld reader that with a COVID-19 examination cartridge (a a few-pack sells for for $195) performs molecular nucleic acid amplification exams, a far more sensitive examine than the reagent quick tests the govt started supplying absent this winter.

Cue states a “NAAT” take a look at like those people in its kit “combines the diagnostic precision of a central lab with the speed and convenience of an at-household examination.” 

Researchers have identified that for checking somebody’s infectiousness, normal reagent tests operates improved. But affordable at-property assessments do not qualify less than the Centers for Sickness Control’s prerequisite that Americans test unfavorable ahead of flying dwelling from exterior the US only skillfully-operate checks or app-assisted test kits will do.

This newest episode of problematic IoT safety would have been one particular way to evade that need. But as I have understood around 3 transatlantic excursions due to the fact very last summer time, most recently returning in early March from MWC Barcelona, verify-in counter agents may possibly not examine PDFs of negative check success all that closely.