Flaw in COVID-19 Testing Gadget Could’ve Been Exploited to Change Results

A now-fastened Bluetooth vulnerability in a home COVID-19 tests product could have been exploited to fake examination benefits.

Stability investigate company WithSecure introduced the news Thursday early morning with Cue Health and fitness, the gadget vendor that patched the flaw. Ken Gannon, a researcher with the company-infosec arm of WithSecure, observed that by eavesdropping on Bluetooth transmissions from Cue’s handheld reader unit to its Android application, he could detect hexadecimal sequences that corresponded by test data, then rewrite them in a way the application recognized as legit. 

“I was equipped to change my damaging test consequence to a beneficial by intercepting and changing the info as it was transmitted from Cue’s reader to the cell app on my phone,” Gannon claims. “The procedure is in essence the exact for transforming a good result to detrimental, which could lead to issues if a person who understands how to do what I did decides to start falsifying outcomes.”

WithSecure claims Cue “responded promptly” to close the vulnerability and did not know of any faked exam final results exterior these Gannon described.

“The reliability and security of our technology is of the utmost relevance to our firm and we value the WithSecure team’s collaboration,” suggests Vimal Subramanian, VP of info safety and privacy at Cue Health, in a statement.

A second technical document shared in progress by WithSecure (with documentation revealed on GitHub) claims Cue’s correct consists of server-facet checks but also advises that Cue users update their cellular applications to the present-day version—1.7.2 for Android and 1.7.1 for iOS—which will then prompt them to update the Cue device’s firmware.

San Diego-centered Cue’s system—promoted in a Super Bowl ad this March—consists of a $249 handheld reader that with a COVID-19 examination cartridge (a 3-pack sells for for $195) performs molecular nucleic acid amplification exams, a additional sensitive verify than the reagent immediate tests the federal government commenced providing absent this wintertime.

Cue claims a “NAAT” test like those in its package “combines the diagnostic accuracy of a central lab with the pace and convenience of an at-household exam.” 

Researchers have located that for examining somebody’s infectiousness, frequent reagent testing functions far better. But low cost at-house checks do not qualify beneath the Centers for Disease Control’s requirement that Individuals examination destructive just before traveling house from outside the house the US only skillfully-operate tests or application-assisted exam kits will do.

This hottest episode of problematic IoT stability would have been one particular way to evade that prerequisite. But as I have understood more than a few transatlantic trips given that last summer time, most just lately returning in early March from MWC Barcelona, test-in counter brokers could not inspect PDFs of unfavorable check results all that intently.