WithSecure and Cue Health have resolved a problem with the results of COVID-19 tests sent over Bluetooth. The lack of a secure protocol allowed test results to be intercepted. Once that happened, they could be changed so that negative tests showed positive and vice versa. While the intercept is real, both companies say there is no evidence that anyone has made any changes.
WithSecure security consultant Ken Gannon discovered the vulnerability. He said, “I was able to change my negative test result to a positive by intercepting and changing the data as it was transmitted from Cue’s reader to the mobile app on my phone. And I got my test result certified by performing a proctored test within the platform’s Health App.
“The process is basically the same for changing a positive result to negative, which could cause problems if someone who knows how to do what I did decides to start falsifying results.”
How does the test work?
The Cue Health COVID-19 test offers users a result within 20 minutes. It claims to be as accurate as PCR tests performed in labs. As countries have opened up to travel, one of the fit to fly test options is home testing using an approved device. Cue Health is one of those companies whose test kits have been approved by the US, EU, Canada, India and Singapore.
The test kit contains a cartridge, Cue Reader and a swab. It works by:
- User downloads the Cue Health App to their mobile device
- The cartridge is inserted into the Cue Reader
- A nasal swab is taken and put into the cartridge
- The cartridge assesses the swab and sends results to the Cue Reader
- The Cue Reader uses Bluetooth to transmit the results to the Cue Health App on the users’ mobile device
It is the latter stage that Gannon found was vulnerable to interception and falsification.
Once the vulnerability was reported to Cue Health, it quickly investigated and improved the security of the transmission. It says that it is unaware of any falsified results outside of this report.
Enterprise Times: What does this mean?
Interestingly, this is not the first time Gannon has discovered problems with test kits. Last December, he discovered a problem with a test kit from another provider. If more test kits are shown to have similar problems, it may have repercussions for those who want a convenient and easy way of testing at home.
It is also a wake-up call for the medical device industry. There are an increasing number of home medical devices that communicate over Bluetooth. Security must be part of the initial discussion, not something you add when a researcher calls you out.