Tuesday, December 9, 2014

Abbott Freestyle Libre: something every Libre user should know!

The Dark Side of the Libre

In previous posts, I have written in glowing terms about the performance of the Abbott Freestyle Libre. As a glucose monitoring tool, it is extremely impressive. However, I am not too impressed (to say the least) with the ecosystem. While the Libre software is, in some ways, quite innovative, it has its dark side.

Users can't fail to notice that, in order to access reports, the Libre software must be started and the Libre reader must be connected to your computer. A casual look at  the files installed in the FreeStyle Libre folder shows this, among other files

That's the Open SSL shared library. This library is used to secure Internet communications and is actually (relative to its build date) updated for the latest SSL vulnerability known at the time. Isn't it nice to see a medical device company caring about the safety of our medical data?

But what is it used for? TCP/IP connections can be established and secured locally over USB. Nothing wrong with that even though it may seem a bit like overkill in this case. Could there be more to it? Let's find out...

UPDATE: since this article was written, I have decrypted the transfer. See here and here for more details about the content

"wiresharking" the Libre software

Let's fire up Process Monitor and Wireshark, start the Libre Software and find out.

As you can see, two remote sessions are started. The first one connects to and starts downloading some information from that server. This session starts as soon as the Libre software is started, regardless of the presence of the Libre reader. The Dexcom Studio software essentially does the same thing, downloading harmless data and linking to the Dexcom web site (in an unsecured way). That's no big deal, most software today is connected to remote sites, if only to check for latest news and update availability. The data transfer for that session is mostly "download" - from the web to your computer. But look at this below (already apparent in the procmon capture above)

As soon as you connect your Libre Reader, a new session is opened, to and, in that case, the traffic consists mostly of TCP Send, in other words, data from your computer (presumably the reader) to a remote address.

WTF, I hear you say?

It seems Abbott is a bit nosy here! is hosted in the US, on the aptly named "Very Curious Art" ISP

The "Very Curious Art" name would be funny in a "gotcha" kind of way if that's where our data went to. But Abbott doesn't seem to have enough sense of humor for that kind of pun and the snoops are actually located at, the Abbott Diabetes Care R&D hosting center.

Because of the use of SSL, it is a bit hard (but not impossible with a local Man In The Middle attack) to know what Abbott is actually uploading there, but given the size of the data transfers, I would assume Abbott is simply covertly uploading your results to its servers in the US. Results that potentially include
  • glucose values
  • insulin values and treatment options
  • exercise and meal values
  • patient identification
  • system related data such as sensor error rates, temperatures, etc...
That's potentially a ton of information!

UPDATE: since this article was written, I have decrypted the transfer. See here and here for more details about the content

Is this legal? Have I given my consent? Have I given my informed consent?

Frankly, I don't know. I am a European Union citizen, living in the European Union, and I don't remember having explicitly authorized Abbott to send my health data to its own servers in the US. It can be that I have implicitly agreed to that data export by clicking on the license agreement (which I did not read, like everyone else) but that certainly wouldn't pass as informed consent or opt-in. It could be that Abbott only sends technical information back to its servers (but then, it could probably do it in smaller transfers). It could be that Abbott anonymizes everything it exports properly (you never know). Abbot might have good intentions, might be in the process of running a huge scale study on diabetics for which it has received approval. But I certainly would have appreciated to have received adequate information and to have been offered the opportunity to opt-out.

If that bothers you, a quick solution (but probably not a permanent one) is to use your firewall to block connections to those addresses - for example

Thanks for reading!

Update 1: I have now read the license and Abbott clearly states they don't have any access to our data.  Sounds fine, but that makes what they are uploading even more interesting in a way: what do they absolutely need?

Update 2: I have received quite a few reactions to this post. I'd like to clarify a bit for readers who don't have a TCP/IP or IT Security background. The technical information given above proves that the Libre software phones "home" in the US and uploads _something_ on their server. It doesn't prove that it uploads your data: it could upload engineering data from the sensor, integrity checks, etc... In fact, they could even covertly intercept your banking information or browsing habits, etc... and upload them (they don't do that I am sure). That's the main issue at this point: covertly uploading _something_ without being upfront about it (if only with a single message in the software) .

Update 3: the upload URL is located in the config file that can be found in the "hidden" ProgramData folder - in my case

C:\ProgramData\Abbott Diabetes Care 

in the FreeStyle Libre.ini file. Pointing that URL to an internal address, or entering bogus or empty data should also disable the upload.

app_license_path_string=C:/Program Files (x86)/FreeStyle Libre/license_en_GB.pdf
installDir=C:\Program Files (x86)\FreeStyle Libre

No comments:

Post a Comment