Issue in digital COVID-19 test could have allowed individuals to falsify results

WithSecure and Cue Health have worked together to address a security issue that WithSecure discovered in Cue’s COVID-19 test, which delivers the results of a nasal swab test via bluetooth to a mobile device. The issue could have allowed a subset of users to change results within the platform’s Health App.

The COVID-19 test is a molecular test that offers users results in 20 minutes with accuracy that’s comparable to PCR tests performed in labs. The test received authorization for professional or at-home use in the United States, European Union, Canada, India, and Singapore.

Ken Gannon, a WithSecure security consultant, discovered a method for changing results produced by the test.

“I was able to change my negative test result to a positive by intercepting and changing the data as it was transmitted from Cue’s reader to the mobile app on my phone. And I got my test result certified by performing a proctored test within the platform’s Health App,” explained Gannon. “The process is basically the same for changing a positive result to negative, which could cause problems if someone who knows how to do what I did decides to start falsifying results.”

The COVID-19 test utilizes two different pieces of equipment: a test kit (which contains a cartridge and swab to collect a nasal sample), and a Cue Reader. The user inserts the kit’s cartridge into the reader, collects a sample with the included swab, and then places the swab into the cartridge. The cartridge performs the test and sends the data to the reader. The reader then transmits the result via Bluetooth to the platform’s Health App (available for iOS and Android) on the individual’s mobile device.

Gannon shared his research with Cue Health, who responded promptly, initiated an investigation, and swiftly implemented security improvements to prevent the future falsification of test results. Cue Health is not aware of any falsified test results beyond those reported by WithSecure.

“Thanks to WithSecure’s help, we confirmed that highly skilled individuals with cyber security expertise could change a test result, and we swiftly issued a software update to fix this issue to detect the falsification of COVID-19 test results in the Cue Health App,” said Vimal Subramanian, VP of Information Security and Privacy at Cue Health.

Gannon, who discovered similar problems in a COVID-19 test from a different vendor last December, said he expects some types of devices to have these kinds of security issues. Negative COVID-19 tests have become requirements for many activities, including traveling internationally into the United States. The potential for fraud related to evading COVID-19 restrictions was highlighted earlier this month when two nurses from New York were charged with $1.5 million in fraud related to COVID-19 vaccine cards.

“Lately I’ve been looking into these COVID tests out of professional curiosity. However, the kind of issues I’m seeing are quite common in many different types of devices that use computers to perform specific tasks, such as internet of things devices. Because they’re so common, it’s important that vendors prepare ways to find and fix security issues before they cause problems for users. I’m satisfied with the collaboration with Cue Health to strengthen the integrity of their test,” added Gannon.