Friday, December 19, 2014

Abbott Libre: uploading your life to the US, behind your back...

In "something every Libre user should know" I showed how the Abbott Freestyle Libre software was automatically connecting to an Abbott R&D center in the US and conjectured that Abbott was uploading our data to its cloud, right under our nose.

That prompted me to read the Abbott's License Agreement which sounds reassuring.

The remaining question was then, of course, what is Abbott uploading to its servers? I was committed to find out.

A big lie it is!


The previous traffic dumps (please note that no "hacking" of any kind is involved: I am just monitoring what goes out of my computer and network) showed that Abbott was using SSL to connect to its R&D Center and upload what looked like a significant data package. The upload site is actually defined in an .INI file in a "hidden"directory on your computer (Windows based PC in this case). The traffic is encrypted through SSL and, as such, supposed to be inaccessible to an eventual eavesdropper. This, of course, piqued my curiosity more than anything else: what did Abbott have to hide?

Finding out was relatively easy, as soon as I could find the time. It could have been harder if Abbott had implemented its "secure" exchange a bit better, but let's not forget that they are a medical device company, likely to somewhat blindly using secure standards without fully understanding them.

I set up a proxy and routed the Libre software traffic through it. This is a perfectly straightforward operation: your employer, security software or ISPs do that all the time. The Libre software happily established a connection with my proxy and my proxy established a connection with the Abbott research center. In that particular case, I wanted the Libre software to establish a secure connection with my proxy and my proxy to establish a secure connection with the Abbott upload center.

During the time spent on my proxy, the transaction wasn't encrypted.

So, what happens? In one single post, gzipped data is uploaded to the Abbot server (the connection is keep-alive, just in-case)

POST https://libreupload.freestyleserver.com/sutter/upload/universal HTTP/1.1
Content-Type: application/json
Content-Length: 734986
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
User-Agent: Mozilla/5.0
Host: libreupload.freestyleserver.com

And the server thanks you...

HTTP/1.1 200 OK
Date: Fri, 19 Dec 2014 21:42:31 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 16

{"success":true}

The payload


As you can see, the server payload is quite large (seeing through the gzip compression is trivial) and contains a ton of data.


The data is neatly organized in json format (a common format to exchange data on the Internet). You'll see below how it is organized


Device settings limits itself to what I would call standard diagnostic information. This is what I would have accepted Abbott to upload to its servers.


The header part reports both the software and the device unique identifiers. That part if, of course, a bit (cough, cough) problematic... While the software didn't appear to report explicit user ID in the transactions I monitored, I did not dump my initial setup and all my connections to the Abbott server right from the start. Abbott could have sneaked a ton of info under my nose during the first few days. However, since Abbott only sells its devices through direct sales, it can certainly connect the serial numbers of its readers to UIDs. Abbott might at some point claim that they do not, but they haven't done much to earn our trust until now, did they?  It would be very surprising, even incompetent, if that correlation was impossible. 


The measurement log is literally a complete window on your diabetic life. Note: I did not make use the full data entry capabilities of the Abbott reader but it seems that Abbott is also interested in what you eat, how you exercise, what drugs you take and what your state of mind is (custom note). While I have not verified that all this information was actually uploaded to Abbott servers, this is obviously available for upload, should they be entered. I would advise against entering notes that are too personal. "Great night of sex leads to lows" would probably amuse some of the employees in the Abbott research center.


They upload all your Glucose entries: scheduled ones (the 15 minutes values) and unscheduled ones (the spot checks you do when you want them)



The eventual alerts, including ondemandalarm.low and projectedhigh. Note: that part is actually very interesting from a user point of view as it shows that the Abbott software is already ready for an eventual full CGM Implementation. 

And, of course, insulin entries.



Summary


  • The Abbott Freestyle Libre reader covertly uploads all your diabetes tracking information to its US servers. The user is not offered the option to opt out. Configuration files are hidden. Uploads are encrypted.
  • That information is can be tracked accurately through the use of UIDs.
  • That information goes well beyond pure glucose values information (insulin, exercise, medications and even your thoughts can potentially be uploaded).
  • The Abbott Freestyle Libre license agreement explicitly states that the above does not happen.


Additional thoughts



Had I been asked, I would have gladly shared some, but probably not all, our information with Abbott. The fact that it is done covertly, in flagrant contradiction with the Abbott license agreement itself, is completely dishonest.

As far as the dissimulation and the security of the process is concerned, I do not know if I must laugh or cry. It seems to have been implemented by a one-eyed guy targeting what he expected to be a blind audience. This is not unusual in the world of medical devices, where compliance with a certain set of rules, defined - at least in the field of IT security - by one-eyed regulators, is generally poorly implemented. While I will obviously NOT check other aspects of Abbott's security, in the wake of the Sony disaster, this is not very encouraging. I would have enjoyed a bit of a challenge, not a 30 minutes 40 tons truck drive through bales of hay.

As far as the data grab is concerned, while the implementation here is extremely heavy handed, this is a general trend. One very ironic aspect of it is that while Abbott only gives the user the opportunity to look at a limited history of his own diabetes, it stores and will store a much longer history on its own servers.





No comments:

Post a Comment