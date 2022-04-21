U.S. markets close in 6 hours 4 minutes

  • S&P 500

    4,509.11
    +49.66 (+1.11%)
     

  • Dow 30

    35,491.04
    +330.25 (+0.94%)
     

  • Nasdaq

    13,650.38
    +197.32 (+1.47%)
     

  • Russell 2000

    2,054.30
    +16.11 (+0.79%)
     

  • Crude Oil

    103.68
    +1.49 (+1.46%)
     

  • Gold

    1,945.40
    -10.20 (-0.52%)
     

  • Silver

    24.78
    -0.49 (-1.92%)
     

  • EUR/USD

    1.0880
    +0.0027 (+0.25%)
     

  • 10-Yr Bond

    2.8860
    +0.0460 (+1.62%)
     

  • GBP/USD

    1.3064
    -0.0002 (-0.01%)
     

  • USD/JPY

    128.4250
    +0.4980 (+0.39%)
     

  • BTC-USD

    42,685.12
    +1,068.24 (+2.57%)
     

  • CMC Crypto 200

    993.31
    +21.39 (+2.20%)
     

  • FTSE 100

    7,635.12
    +5.90 (+0.08%)
     

  • Nikkei 225

    27,553.06
    +335.21 (+1.23%)
     

A new bug in a Bluetooth at-home COVID-19 test could produce false results

Carly Page
·3 min read

A security researcher has discovered a bug in Cue Health’s at-home COVID-19 testing kit that could allow users to falsify results.

Cue Health's COVID-19 testing kit is a Bluetooth-operated molecular test that can detect a positive specimen in 20 minutes. The system tests for coronavirus using a nasal swab that is inserted into a single-use cartridge and analyzed by the battery-powered Cue Reader, and this then transmits the result over Bluetooth to the Cue Health app on the test-taker's phone. In March 2021, Cue’s system became the first molecular COVID-19 testing kit to receive emergency authorization from the FDA for at-home and over-the-counter use.

While the FDA at the time applauded Cue Health's innovative approach to COVID-19 testing, Ken Gannon, a security consultant at WithSecure, F-Secure's corporate security business, found a flaw in the testing kit that could allow test results to be modified.

It's the second time a security vulnerability has been discovered in a connected COVID-19 test by the same researcher who recently exposed a similar flaw in Ellume’s COVID-19 Home Test, calling into question the integrity of testing kits rushed to market under the federal government's emergency approval powers.

The vulnerability — now fixed — was found in how the Cue Reader communicates with the Cue Health app over Bluetooth using the Protobuf protocol, which presents the test data in an easily readable block of data. The block of data generated by the Reader ends in “10 02” for a positive COVID-19 test result, or “10 03” for a negative result. Gannon developed a script that enabled him to intercept and modify the data by manipulating these digits. By changing a single digit in the result, or "bit-flipping," Gannon could change his negative result to a positive result, as well as to obtain a certificate verifying the results as valid.

A screenshot of a manipulated COVID-19 test result.
A screenshot of a manipulated COVID-19 test result.

A manipulated COVID-19 test result. Image Credits: Ken Gannon / WithSecure

“The process is basically the same for changing a positive result to negative, which could cause problems if someone who knows how to do what I did decides to start falsifying results,” said Gannon. Negative COVID-19 tests have become requirements for many activities, including traveling into the United States.

“As of right now, the skill level required to flip those bits is somewhat high," Gannon said. "A person would need to have decent knowledge into hacking mobile applications and running custom code within Cue’s application. However, one thing I’m always worried about with Android application hacking is the ability to customize the hack so that the average consumer can do the same hack. Because of this, I’m purposely disclosing technical details and custom code that only reverse engineers could understand and use," he added.

Gannon shared his research with Cue Health, which said it is not aware of any falsified test results beyond those reported by WithSecure, but said it has added server-side checks aimed at detecting manipulated results. Cue Health did not respond to TechCrunch when asked if the company had the means to detect the manipulation of results prior to WithSecure's findings.

Users should also update to the latest version of the Cue Health app.

A Bluetooth bug in a popular at-home COVID-19 test could falsify results

Recommended Stories

  • This kamikaze drone sacrifices its own rotors to take down other drones

    Drones can be dangerous, and we've seen consumer-grade drones used for all sorts of nefarious purposes. Lithuanian hacker Aleksey Zaitsevsky has another option with the prototype of a high-speed racing drone that can self-destruct, using its own propellors to spread out a net to take down other drones. The propellors detach from the drone to widen the net, aiming to take down offending drones.

  • Opendoor alums raise $7.75M for Kindred, a home-swapping network it says makes travel 'dramatically more affordable'

    Opendoor alums Justine Palefsky and Tasneem Amina teamed up in 2021 to start a company, Kindred, with the goal of helping make traveling more accessible through a unique home-swapping model. Palefsky and Amina both worked at Opendoor around the same time, although not in the same departments.

  • This Is What Tesla CEO Elon Musk’s Other Company Is Worth

    STOCKSTOWATCHTODAY BLOG One of Elon Musk’s companies just got more valuable. No, this isn’t about Tesla (ticker: TSLA) or SpaceX. This isn’t even about Musk’s recent bid for Twitter (TWTR). His tunneling company, named, of course, The Boring Company, just finished raising money.

  • Billionaire Elon Musk Has a Product He Can't Sell

    Tesla's CEO is the salesperson of all his companies, but he still has not managed to sell a product presented as revolutionary.

  • Publisac and Mirabel: TC Transcontinental Will Appeal

    TC Transcontinental (TSX: TCL.A) (TSX: TCL.B) will appeal the Superior Court's decision, rendered today, dismissing its motion to quash the City of Mirabel's by-law on the distribution of printed advertising material. The by-law requires TC Transcontinental to abide by the opt-in system which, if maintained, would lead to the end of the distribution of the Publisac by TC Transcontinental in Mirabel.

  • 3 Reasons Meta Platforms Is Not the Future of the Metaverse

    The metaverse is rapidly expanding in every direction, embracing all kinds of well-known brands and challenging companies to find interesting ways to bring more virtual life into the real world. One company that was late to the game, Meta Platforms (NASDAQ: FB), has been trying to imply that it will be the future of the metaverse, despite being a rather late-comer to the scene. Although metaverse real estate has great potential, not every platform is going to make it.

  • Augmented Reality Is What’s in Store for Commerce

    Augmented reality could completely change how you shop, but don’t expect it to dramatically change where you do it.

  • This Privacy Crypto Has Left Bitcoin and Ethereum in the Dust Since February. Should You Buy?

    Many coins and tokens available across the crypto space have had ups and downs over the past several weeks due to macro trends such as record-levels of inflation, rising interest rates from the Federal Reserve, and the ongoing war in Ukraine. According to CoinMarketCap, when you zoom out to the three-month view for privacy coin Monero (XMR), you see that this particular asset is up an incredible 87% since Feb. 24, 2022. While the same website shows that Bitcoin (BTC) is up 18% and Ethereum (ETH) is up 32% for the same timeframe.

  • Ripple CEO Blames Bitcoin Tribalism For Holding Crypto Back

    The chief executive of the fintech firm has spoken out about “tribalism” within the crypto communities that could be holding the industry back.

  • With Netflix greenlighting ads, streaming is about to become cable TV

    Netflix’s stock is down 37% since announcing its first decline in overall users in a decade. In response, Netflix CEO Reed Hastings admitted that the company is now open to advertising-supported streaming options, a major shift from his previously stated disinterest in the strategy. “I’ve been against the complexity of advertising and a big fan of the simplicity of subscription,” said Hastings during yesterday’s investor conference call.

  • 3 Things You Should Know About The Roku Channel

    The Roku Channel (TRC) has grown into the most significant part of Roku (NASDAQ: ROKU) over the last several years. Consumer demand for free content is the main driver of TRC's growth. Roku launched TRC in part because its data showed that the most searched term on the Roku platform was "free."

  • China's Xiaohongshu cuts 9% of staff in layoffs

    HONG KONG (Reuters) -Chinese social e-commerce app Xiaohongshu, known as China's answer to Instagram, said it had cut about 9% of its staff as the company joined other internet firms in retrenching. The layoffs come after an annual performance review conducted in March found that 10% of its employees had failed to perform to expectations, a spokesperson for the company said. The layoffs were first reported earlier on Thursday by local media outlets such as Sina Technology, which cited social media postings by employees.

  • Highly Competitive Market Energizes Cloud Providers to Extend Their Services, Products and Tactics to Win the Cloud Wars

    Today, Next Pathway Inc., the Automated Cloud Migration company, unveiled The State of Enterprise Cloud Migrations, a new report that highlights that businesses are under great pressure to enable digital transformation from the cloud to generate new revenue streams. Although businesses believe a multi-cloud strategy has advantages, currently they are selecting one primary cloud platform to move their enterprise legacy workloads. For this reason, Cloud Providers are in a race to bring enterprise

  • Frax, Terra-Backed 4pool Goes Live on Fantom Network, Attracts $31M

    Frax is working on supporting Fantom projects interested in joining the yield pool, its founder confirmed.

  • One Must-Know Mindset Shift for Social Impact Practitioners Who Want to Scale

    You’ve been tasked by your company to operationalize purpose – big commitments to “make an impact” on an important social issue – maybe it’s childhood hunger, STEM education or homelessness. You’re...

  • Strike Security lands $5.4M seed funding to make pen testing more accessible

    Strike Security, a continuous penetration testing platform that combines automation with ethical hackers, has secured a $5.4 million seed investment to make bug hunting more accessible to small businesses. Santiago Rosenblatt, the 25-year-old founder and CEO of Strike, has already racked up two decades of cybersecurity experience. “I started hacking when I was six-and-a-half,” he tells TechCrunch.

  • Whole Foods stores in Austin to get Amazon's palm-paying tech

    Amazon One allows customers to link a card to their palms, then they can hover one or two palms over a machine for payment. This expedites the check-out process as customers can avoid searching for their payment methods.

  • Canonical now hopes to IPO in 2023

    In a press briefing ahead of today's launch of Ubuntu 22.04 LTS, Shuttleworth noted he now expects it to go public next year. This new version, 22.04 LTS, includes a number of new features, including support for confidential computing on Microsoft Azure, optimized images for AWS's Arm-based Graviton machines, desktop support for Raspberry Pi 4 and more.

  • Crypto Stocks Perform Worse Than Cryptocurrencies

    Coinbase is off 40% so far this year as trading volume sinks. TeraWulf, Marathon Digital and Riot Blockchain are down sharply as well.

  • 'Buy with Prime' lets third-party retailers use Amazon's shipping service

    Amazon has unveiled "Buy with Prime," a service that let's other online retailers use its vast delivery network to fulfill orders on their own websites.