Flaw in COVID-19 Testing Gadget Could've Been Exploited to Change Results

pcmag.com:

A now-fixed Bluetooth vulnerability in a home COVID-19 testing device could have been exploited to fake test results.

Security research firm WithSecure announced the news Thursday morning with Cue Health, the device vendor that patched the flaw. Ken Gannon, a researcher with the corporate-infosec arm of WeSecure, found that by eavesdropping on Bluetooth transmissions from Cue’s handheld reader device to its Android app, he could identify hexadecimal sequences that corresponded by test data, then rewrite them in a way the app accepted as legit. 

“I was able to change my negative test result to a positive by intercepting and changing the data as it was transmitted from Cue’s reader to the mobile app on my phone,” Gannon says. “The process is basically the same for changing a positive result to negative, which could cause problems if someone who knows how to do what I did decides to start falsifying results.”

WeSecure says Cue “responded promptly” to close the vulnerability and did not know of any faked test results outside those Gannon reported.

“The reliability and security of our technology is of the utmost importance to our company and we appreciate the WithSecure team’s collaboration,” says Vimal Subramanian, VP of information security and privacy at Cue Health, in a statement.

A second technical document shared in advance by WithSecure (with documentation published on GitHub) says Cue’s fix involves server-side checks but also advises that Cue users update their mobile apps to the current version—1.7.2 for Android and 1.7.1 for iOS—which will then prompt them to update the Cue device’s firmware.

San Diego-based Cue’s system—promoted in a Super Bowl ad this March—consists of a $249 handheld reader that with a COVID-19