Zero-Day Advisory
Fortinet Discovers Abbott FreeStyle Libre Sensor Weak Data Integrity Protection Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered weak protection of data integrity in FreeStyle LibreLink sensors.
FreeStyle LibreLink sensor can help you monitor your glucose. You can monitor your glucose using the smartphone app FreeStyle LibreLink without fingersticks.
FreeStyle LibreLink sensor's memory, which contains glucose measures, sensor region, stage of life and other code, is protected by a checksum. An attacker can unlock the memory by exploiting other vulnerability like FG-VD-19-112, then modify data and recompute the CRC. The attack can be conducted over NFC. Thus, it requires close proximity to the sensor.
Solutions
This vulnerability has been addressed in FreeStyle Libre 14-day in the U.S (announced in August 2018), and FreeStyle Libre 2 outside the U.S (announced in October 2018).
Timeline
Fortinet reported the vulnerability to Abbott on January 29, 2020.
Abbott confirmed the vulnerability on February 14, 2020.
References
Acknowledgement
This vulnerability was discovered by Axelle Apvrille of Fortinet's FortiGuard Labs.