Flaw in COVID-19 Testing Gadget Could’ve Been Exploited to Change Results

A now-preset Bluetooth vulnerability in a house COVID-19 screening system could have been exploited to faux examination results.

Stability analysis organization WithSecure introduced the news Thursday early morning with Cue Health and fitness, the gadget vendor that patched the flaw. Ken Gannon, a researcher with the company-infosec arm of WithSecure, discovered that by eavesdropping on Bluetooth transmissions from Cue’s handheld reader gadget to its Android application, he could detect hexadecimal sequences that corresponded by test info, then rewrite them in a way the app accepted as legit. 

“I was ready to modify my detrimental examination consequence to a favourable by intercepting and altering the knowledge as it was transmitted from Cue’s reader to the cell application on my cellular phone,” Gannon says. “The method is generally the exact same for switching a optimistic final result to damaging, which could trigger difficulties if somebody who understands how to do what I did decides to commence falsifying results.”

cue health reader

WithSecure states Cue “responded promptly” to near the vulnerability and did not know of any faked examination results exterior all those Gannon reported.

“The trustworthiness and safety of our engineering is of the utmost significance to our organization and we appreciate the WithSecure team’s collaboration,” says Vimal Subramanian, VP of facts safety and privateness at Cue Overall health, in a statement.

A second specialized doc shared in advance by WithSecure (with documentation revealed on GitHub) states Cue’s resolve requires server-side checks but also advises that Cue users update their cellular applications to the latest version—1.7.2 for Android and 1.7.1 for iOS—which will then prompt them to update the Cue device’s firmware.

San Diego-based mostly Cue’s system—promoted in a Super Bowl advertisement this March—consists of a $249 handheld reader that with a COVID-19 examination cartridge (a a few-pack sells for for $195) performs molecular nucleic acid amplification exams, a extra sensitive test than the reagent swift assessments the authorities started supplying away this winter.

Cue suggests a “NAAT” test like these in its package “combines the diagnostic accuracy of a central lab with the velocity and advantage of an at-dwelling exam.” 

Scientists have found that for examining somebody’s infectiousness, normal reagent tests will work superior. But low-priced at-dwelling assessments don’t qualify below the Facilities for Ailment Control’s need that Americans check destructive prior to traveling property from outside the house the US only professionally-run assessments or application-assisted take a look at kits will do.

This latest episode of problematic IoT protection would have been a single way to evade that prerequisite. But as I’ve understood more than three transatlantic visits due to the fact last summer time, most lately returning in early March from MWC Barcelona, test-in counter brokers may perhaps not examine PDFs of unfavorable take a look at benefits all that closely.