[Pass the SALT 2020] Pique curiosity, not diabetic fingers

Connected glucose sensors come in very handy for diabetic patients, saving them from the chore to prick their finger several times a day to check their blood glucose level.

The sensor is attached to the patient’s skin. Before first use, it must be activated during 1 hour - this is a warm up period. Then, it can be used for 2 weeks, after which the sensor expires and must be replaced. Those limits actually depend on the country, each sensor only being able to operate in a given geographical zone.

Despite the fact this IoT is quite well designed, we are able to bypass all of these limits:

  1. Resurrect an expired sensor,
  2. Kill a sensor (i.e have it expire before the 2 week limit),
  3. Modify the geographical zone,
  4. Modify the warm up or expiration period.

We explain how we achieved this. Part of the treasure quest was done using Ghidra, locating checksum functions and walking up the call stack. The sensor’s format uses losts of checksums and although this is quite common, we struggled at finding the exact algorithm used by the sensor! You will see why… We also reversed apparently disabled NFC commands of the sensor’s firmware and found lovely hints. Some other limitations are at software level, but they can’t stand Frida hooks :)

To conclude, we open the discussion on security risks of medical IoT. In that particular case, the sensor is not the weak link, but the smartphone is. We explain why.

References