A security researcher has discovered a bug in Cue Health’s COVID-19 test kit at home which could allow users to falsify results.
Cue Health’s COVID-19 test kit is a Bluetooth-powered molecular test that can detect a positive sample in 20 minutes. The system tests for coronavirus using a nose stick that is inserted into a disposable cartridge and analyzed by the battery-powered Cue Reader, which then sends the result via Bluetooth to the Cue Health app on the test taker’s phone. In March 2021, the Cues system became the first COVID-19 molecular test kit receive emergency approval from the FDA for home use and over-the-counter use.
While the FDA at the time endorsed Cue Health’s innovative approach to COVID-19 testing, Ken Gannon, a security consultant at WithSecure, F-Secure’s corporate security firm, found a bug in the test kit that could change test results.
This is the second time a security vulnerability has been discovered in a related COVID-19 test by the same researcher who recently revealed a similar error in Ellume’s COVID-19 home testquestioning the integrity of test kits rushed to market under the federal government’s emergency clearance powers.
The vulnerability – now fixed – was found in how Cue Reader communicates with the Cue Health app over Bluetooth using the Protobuf protocol, which presents the test data in an easy-to-read data block. The block of data generated by the reader ends with “10 02” for a positive COVID-19 test result or “10 03” for a negative result. Gannon developed a script that allowed him to intercept and modify the data by manipulating these digits. By changing a single digit in the result, or “bit-flipping”, Gannon could change his negative result to a positive result, as well as obtaining a certificate confirming the results as valid.
“The process is basically the same to change a positive result into a negative one, which can cause problems if someone who knows how to do what I did decides to start falsifying results,” Gannon said. Negative COVID-19 tests have become a requirement for many activities, including travel to the United States.
“Right now, the skill level required to flip those bits is somewhat high,” Gannon said. “A person must have decent knowledge of hacking mobile applications and running custom code in Cues application. But one thing I am always worried about with Android application hacking is the ability to customize the hack so that the average consumer can do the same hack. Because of this, I deliberately reveal technical details and custom code that only the reverse engineer can understand and use, ”he added.
Gannon shared his research with Cue Health, which said it is not aware of any falsified test results other than those reported by WithSecure, but said it has added server-side checks for the purpose of detecting manipulated results. Cue Health did not respond to TechCrunch when asked if the company had the means to detect manipulation of results before WithSecure’s results.
Users should also update to the latest version of the Cue Health app.