A flaw in another Bluetooth at-home COVID-19 test could produce false results

A security researcher discovered a bug in the at- home COVID-19 testing kit that could allow users to alter results.

The COVID-19 testing kit can detect a positive specimen in 20 minutes. The system tests for coronaviruses using a nasal swab that is inserted into a single-use cartridge and analyzed by the battery-powered Cue Reader, and this results in the app on the test-taker's phone. In March of 2021, the FDA granted emergency authorization to the Cue system for at- home and over-the-counter use.

While the FDA applauded Cue Health's innovative approach to COVID-19 testing, a security consultant found a flaw in the testing kit that could allow test results to be modified.

It is the second time a security vulnerability has been discovered in a connected COVID-19 test by the same researcher who recently exposed a similar flaw in Ellume's COVID-19 Home Test.

The Protobuf protocol, used to present the test data in an easily readable block of data, was found to have a vulnerability. The block of data generated by the Reader ends in a certain order. Gannon was able to modify the data by manipulating the digits. By changing a single digit in the result, he could change his negative result to a positive result, as well as obtain a certificate to verify the results as valid.

A manipulated test result. Ken Gannon is the image credit.

The process for changing a positive result to a negative one is the same as for changing a positive result to a negative one. Traveling into the United States has become a requirement for negative COVID-19 tests.

The skill level required to flip those bits is high. I worry about the ability to modify the hack so that the average consumer can do the same hack. Because of this, I'm revealing technical details and custom code that only reverse engineers could understand.

Cue Health said it is not aware of any faked test results beyond those reported by WithSecure, but has added server-side checks to detect manipulated results. When asked if the company had the means to detect the manipulation of results prior to WithSecure's findings, Cue Health did not reply.

The latest version of the Cue Health app should be updated by users.

A Bluetooth bug in a popular at-home COVID-19 test could falsify results