Issue in test, authorized for use in the US, EU, Canada, India, and Singapore, could have allowed certain individuals with cyber security expertise to change test results.
Helsinki, Finland – April 21, 2022: WithSecure™ (formerly known as F-Secure Business), and healthcare technology company Cue Health, have worked together to address a security issue that WithSecure™ discovered in Cue’s COVID-19 test, which delivers the results of a nasal swab test via Bluetooth to a mobile device. The issue could have allowed a subset of users to change results within the platform’s Health App.
The COVID-19 test is a molecular test that offers users results in 20 minutes with accuracy that’s comparable to PCR tests performed in labs. Thanks to its speed, accuracy, and ease-of-use, it received authorization for professional or at-home use in the United States, European Union, Canada, India, and Singapore.
Ken Gannon, a WithSecure™ security consultant, discovered a method for changing results produced by the test.
“I was able to change my negative test result to positive by intercepting and changing the data as it was transmitted from Cue’s reader to the mobile app on my phone. And I got my test result certified by performing a proctored test within the platform’s Health App,” explained Gannon. “The process is basically the same for changing a positive result to negative, which could cause problems if someone who knows how to do what I did decides to start falsifying results.”
The COVID-19 test utilizes two different pieces of equipment: a test kit (which contains a cartridge and swab to collect a nasal sample), and a Cue Reader. The user inserts the kit’s cartridge into the reader, collects a sample with the included swab, and then places the swab into the cartridge. The cartridge performs the test and sends the data to the reader. The reader then transmits the result via Bluetooth to the platform’s Health App (available for iOS and Android) on the individual’s mobile device.
Gannon shared his research with Cue Health, who responded promptly, initiated an investigation, and swiftly implemented security improvements to prevent the future falsification of test results. Cue Health is not aware of any falsified test results beyond those reported by WithSecure™.
“The reliability and security of our technology is of the utmost importance to our company and we appreciate the WithSecure team’s collaboration. Thanks to WithSecure’s help, we confirmed that highly skilled individuals with cyber security expertise could change a test result, and we swiftly issued a software update to fix this issue to detect the falsification of COVID-19 test results in the Cue Health App,” said Vimal Subramanian, VP of Information Security and Privacy at Cue Health.
Gannon, who discovered similar problems in a COVID-19 test from a different vendor last December*, said he expects some types of devices to have these kinds of security issues.
Negative COVID-19 tests have become requirements for many activities, including traveling internationally into the United States. The potential for fraud related to evading COVID-19 restrictions was highlighted earlier this year when two nurses from New York were charged with $1.5 million in fraud related to COVID-19 vaccine cards**.
“Lately I’ve been looking into these COVID tests out of professional curiosity. However, the kind of issues I’m seeing are quite common in many different types of devices that use computers to perform specific tasks, such as internet of things devices. Because they’re so common, it’s important that vendors prepare ways to find and fix security issues before they cause problems for users. I’m satisfied with the collaboration with Cue Health to strengthen the integrity of their test,” added Gannon.
“We appreciated Ken reaching out to our team regarding his research. Reporting these sorts of issues directly to vendors helps make products people use safer and more reliable, which is exactly what we’ve done here,” Subramanian continued.
More information on Gannon’s research is available here: https://www.withsecure.com/en/expertise/research-and-innovation/research/faking-another-positive-covid-test.
About Cue Health
Cue Health (Nasdaq: HLTH) is a healthcare technology company that makes it easy for individuals to access health information and places diagnostic information at the center of care. Cue Health enables people to manage their health through real-time, actionable, and connected health information, offering individuals and their healthcare providers easy access to lab-quality diagnostics anywhere, anytime, in a device that fits in the palm of the hand. Cue Health's first-of-its-kind COVID-19 test was the first FDA-authorized molecular diagnostic test for at-home and over-the-counter use without a prescription and physician supervision. Outside the United States, Cue Health has received the CE mark in the European Union, Interim Order authorization from Health Canada, regulatory approval from India's Central Drugs Standard Control Organization, and PSAR authorization from Singapore’s Health Sciences Authority. Cue was founded in 2010 and is headquartered in San Diego. For more information, please visit www.cuehealth.com.
Statements in this press release about future expectations, plans and prospects, as well as any other statements regarding matters that are not historical facts, may constitute “forward-looking statements”. The words, without limitation, “anticipate,” “believe,” “continue,” “could,” “estimate,” “expect,” “intend,” “may,” “plan,” “potential,” “predict,” “project,” “should,” “target,” “will,” “would” and similar expressions are intended to identify forward-looking statements, although not all forward-looking statements contain these or similar identifying words. Actual results may differ materially from those indicated by such forward-looking statements as a result of various important factors, including those related to the expected future diagnostic test menu and the factors discussed in the “Risk Factors” section of the Form 10-Q dated November 10, 2021 filed by Cue with the SEC. Any forward-looking statements contained in this press release are based on the current expectations of Cue’s management team and speak only as of the date hereof, and Cue specifically disclaims any obligation to update any forward-looking statement, whether as a result of new information, future events or otherwise.
These products have not been FDA cleared or approved; but have been authorized by FDA under an Emergency Use Authorization (EUA). These products have been authorized only for the detection of nucleic acid from SARS-CoV-2, not for any other viruses or pathogens. The emergency use of these products is only authorized for the duration of the declaration that circumstances exist justifying the authorization of emergency use of in vitro diagnostics for detection and/or diagnosis of COVID-19 under Section 564(b)(1) of the Federal Food, Drug and Cosmetic Act, 21 U.S.C. § 360bbb-3(b)(1), unless the declaration is terminated or authorization is revoked sooner.
WithSecure™ media relations
WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations.
Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.
WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.