Research Bulletin: Faking Another Positive COVID Test
Research Summary
- WithSecure™ conducted research into the Cue Health Home COVID-19 Test with the intention of finding methods to create fraudulent COVID-19 test results. This device was chosen because the reader unit used Bluetooth to send test results to the patient's phone.
- WithSecure™ was successful in falsifying a COVID-19 test result and obtaining a certificate verifying that this COVID-19 test result was valid.
- Cue swiftly issued
a software update to fix this issue and detect the falsification of COVID-19
test results.
Background
Cue’s COVID-19 test is a molecular test that offers users results in 20 minutes with accuracy that’s comparable to PCR tests performed in labs. It utilizes two different pieces of equipment: a test kit (which contains a cartridge and swab to collect a nasal sample), and a Cue Reader. The user tester inserts the kit’s cartridge into the reader, collects a sample with the included swab, and then places the swab into the cartridge. The cartridge performs the test and sends the data to the reader. The reader then transmits the result via Bluetooth to the Cue Health App’s mobile app (available for iOS and Android) on the individual’s mobile device.
Furthermore, users can take the test under supervision from a Cue Health representative to obtain a certified result. It has received authorization for professional or at-home use in the United States, European Union, Canada, and India, and Singapore.
Research Findings
Ken Gannon, a WithSecure™ consultant and researcher, successfully falsified a certified COVID-19 test result produced by Cue Health Home’s COVID-19 Test. By using a Frida script to intercept information transmitted via Bluetooth from the reader to the app, he was able to accomplish the following:
- Determine whether the reader received a positive or negative test result
- Switch the result from positive to negative, or negative to positive
- Submit the modified data to the app
Furthermore, Gannon was able to change a test result while taking a test under the supervision of a proctor appointed by Cue.
A comprehensive technical write-up of the research is available here: https://labs.f-secure.com/blog/faking-another-positive-covid-test.
Outcome
WithSecure™ reached out to Cue Health to share this research ahead of its public disclosure. Cue Health responded quickly and have added checks server side which should detect manipulated test results.
It is worth noting that the results from this research are roughly consistent with a previous investigation Gannon conducted on another COVID-19 home test (https://labs.f-secure.com/blog/faking-a-positive-covid-test). Considering this, both users and product vendors should consider whether other tests could have similar problems.