Cue Health announced Friday a patch for unsecured Bluetooth communications in its smart Cue Health Home COVID-19 Test that allowed the user or another attacker to change the results of the test. It is the second manufacturer of smart COVID-19 tests to patch this type of vulnerability after Ellume in December.
Both the Cue and Ellume vulnerabilities were discovered by Ken Gannon, a researcher with WithSecure (formerly F-Secure Business).
"As I was closing up the previous findings, I got an ad for another COVID test," Gannon told SC Media. "And I was like, 'Wow, that looks expensive. I want to buy it, see what I can do with it.' And here we are a few months later again, going through the same thing."
The Cue is a more expensive test because it is a more accurate nucleic acid amplification test than cheaper antigen tests.
"I thought it'd be a good test to see if this more accurate test had the same issues as the last one. It did," said Gannon.
While the test is itself accurate, an attacker could flip a single bit in the Bluetooth communications between the test and a mobile device or computer to change the result. The incorrect result would be uploaded to the Cue servers before a final result was certified by the company.
Cue and Ellume are both used in situations where accurate, certified, third-party results are critical. Both are permitted options for COVID testing for travel. The manufacturers remotely monitor test-takers through online video, allowing users to obtain third-party certified results without needing to go to a clinic.
Following Gannon's disclosure, Cue instituted checks to prevent fraudulent results.
"The reliability and security of our technology is of the utmost importance to our company and we appreciate the WithSecure team’s collaboration. Thanks to WithSecure’s help, we confirmed that highly skilled individuals with cybersecurity expertise could change a test result, and we swiftly issued a software update to fix this issue to detect the falsification of COVID-19 test results in the Cue Health App,” said Vimal Subramanian, vice president of information security and privacy at Cue Health, in a statement.
Gannon cautioned that, despite his finding similar problems in two COVID tests, the devices themselves are broadly accurate — and as more researchers do more research, the tests will become even more trustworthy. Over focusing on the issues he found and insisting on in-person testing, he said, would eliminate some of the freedoms these devices allow.
"I just want to make sure that everyone does understand that there are people like me out there that are trying to make sure that these devices can stay within that level of confidence that people can use," he said.