Connected glucose sensors come in very handy for diabetic patients, saving them from the chore to prick their finger several times a day to check their blood glucose level.
The sensor is attached to the patient’s skin. Before first use, it must be activated during 1 hour - this is a warm up period. Then, it can be used for 2 weeks, after which the sensor expires and must be replaced. Those limits actually depend on the country, each sensor only being able to operate in a given geographical zone.
Despite the fact this IoT is quite well designed, we are able to bypass all of these limits:
We explain how we achieved this. Part of the treasure quest was done using Ghidra, locating checksum functions and walking up the call stack. The sensor’s format uses losts of checksums and although this is quite common, we struggled at finding the exact algorithm used by the sensor! You will see why… We also reversed apparently disabled NFC commands of the sensor’s firmware and found lovely hints. Some other limitations are at software level, but they can’t stand Frida hooks :)
To conclude, we open the discussion on security risks of medical IoT. In that particular case, the sensor is not the weak link, but the smartphone is. We explain why.
Axelle Apvrille (Fortinet), Travis Goodspeed
Axelle Apvrille is principal security researcher at Fortinet. She specifically looks into mobile malware and smart devices (not always that smart…).
She is the lead organizer of Ph0wn CTF, a Capture The Flag dedicated to smart devices. She enjoys drawing comics.