Freestyle Libre will encrypt transmissions and kill 3rd party access

My sister and I started using the Libre last fall and we both absolutely loved it. We both also downloaded Glimp, the smartphone app. What an improvement over the Abbott pocket reader!!! The smartphone display and other functions put the Abbott reader to shame…and Glimp is far more accurate. The Abbott reader is close to the finger sticks and Glimp…at around 100 to 130 but as your BG goes higher, the Abbott reader goes even higher and at 200+ the Abbott reader is at least 20% too high. Just the opposite is true below 75. The abbott reader goes 15% too low. Now here’s the biggest issue: Abbott gave me a new 14 day reader and sensors (I’m on Medicare BCBS supplement). Normally that would be a good/great thing. Abbot is now encrypting (scrambling) the data transfer between the sensor and the reader so that now only Abbott equipment works. Since Abbott can’t really claim any positives for doing such a thing, it can only be about greed. Shame on them. I see myself dumping the greedy bastards and getting the Dexcom G7 when it hits next year. Abbott apparently doesn’t really care about the user, only their bottom line…which is never fat enough. If you’re given a choice, buy a competior’s brand.

4 Likes

That’s disappointing to hear. Are there any alternative sensors for other markets that aren’t encrypted?

I haven’t looked yet, Mike but from what I’ve heard, the future Dexcom G7 sounds as good as the Libre. My sister and I have also found there’s differences in how the insurance companies handle this. There’s no debate on the virtues of CGM but for some insurers you’d think your stealing their first born child. My sister has BCBS of North Carolina. I have the same insurance company, but it’s BCBS of Michigan. She received her Libre within a week of applying. It took me six weeks because of the hoops BCBSM made me jump through. My sister had a choice of suppliers. BCBSM will only reimburse one in MI and they have a terrible reputation. I am not one for government intrusion into daily life, but maybe that’s the only way to get these overly powerful insurers and pharmaceutical companies to start acting responsibly.

1 Like

For my case (high deductible with HSA), I’d essentially be paying the cash price, since Dexcom is “out of network” according to my insurer, Medica. Therefore, the Libre was much better suited to my situation, cost wise (prob $80 per month instead of $400-$600). The only way to really get the CGM type function is with 3rd party devices and apps, which they have apparently stopped in the US, if the data is encrypted.

The Libre 2 system will apparently give alarms, but no doubt you’d be tied to a feature-limited reader or a lame factory app for an (i)phone if the data remains encrypted. This of course is not yet approved in the US, and who knows when it will be?

I guess for the foreseeable future, I’m hoping to remain hypoglycemia-aware and go without CGM type devices. Someday the tech will be a bit better, prices more realistic, and data shared more openly, but I’m not holding my breath.

As a finger-sticker for over 30 years, the Constant Glucose Monitor system is a real savior. And because it’s so easy to take a measurement, I register 18-25 readings a day. I would never have come close to that many finger sticks. The point being, Mr/Ms. medical insurer, they would be waaaay ahead in terms of their payouts, by making it easier, not harder, to have us insureds obtain CGM equipment. Plus, I’m not so sure the cost between test strips and GCM sensors is all that big of a difference. Plus the CGM shows your BG TRENDS which finger sticks can’t because you only stick yourself a few times a day (I was at eight times daily when I got my CGM). Everybody makes out better when the patient moves from finger sticks to CGM. It makes you wonder why insurance companies pay their executives so much money.

1 Like

To be fair, the manufacturers have taken a lot of heat for making unencrypted devices, i.e. pacemakers and pumps that can download software and be used for looping etc. So it may not be completely a money thing, but rather a security thing as well.

This is just one example:

That’s a valid concern. However, Dexcom doesn’t encrypt their data stream, correct?

Actually I don’t 100% know if it is encrypted. My son’s nightscout site is a follower, so it isn’t resolving the data directly. I think the Xdrip team spent time decrypting the feed when the G6 came out, so it might be.

yep, I honestly blame the alarmist “Someone can hack your insulin pump and kill you!” type of breathless stories that came out a few years ago. I mean, I get it, it’s theoretically true if the person was targeting you, was within range of you, etc. etc.

Not saying that totally unencrypted is ideal either, but there should be some way for outside entities to build products that access this data in real time.

I suppose a case could be made for something that could kill you in a veritable heartbeat, but we’re not talking about such things here. The Glimp app on a smartphone is so vastly superior to the Libre reader that the ONLY possible reason is that, like Apple, Abbott wants to control as much as they possibly can so that they can keep as much of their product and ancillary items at the highest possible pricing. While I can, indeed, send my log to CTAPP Software, it’s unlikely anyone would want to access my glucose records, that I can imagine. Abbott’s own reader can have it’s data downloaded, so what are they “protecting?” The encryption affects only the data transfer between the sensor and the reader. It’s “wireless” for what, 2 inches? I just can’t see this transition being anything about protecting one’s privacy, if I even care about that. The information displayed and stored by my Glimp is far, far, far more valuable than that.

If you like gimp keep using the 10 day if thats an option. I first read about the libre2 from someone in Germany who was upset with having to get new reader, but linked to third parties who say they have cracked the code and are able to axcess data like on 10 day sensor. Cant rember which but think it was x-drip, but probably wrong. I still use 10 day.

1 Like

I tried to find the 10 day sensors but no luck in the U.S. I’ve heard Abbott is no longer making them. Any guesses why? Duh…

1 Like

I got mine from walmart a couple weeks back. Have scripts for 14 day just waiting on reader. Still have 3 10 days. I really want the libre2 though. Thought about trying to order from overseas.

1 Like

Be careful about overseas order, since Libre reader can only work with sensors from the same country group.

Yea, and the libre2 readers are for olny libre2, there blue.

1 Like

Since I only use an Android, I don’t use LibreLink so I had a friend download the LibreLink (U.S.) into her iPhone6 but with my name, etc. so the Abbott smartphone app would work and it did. However, int’s really no better than what you already use/see on the Abbott reader, just a bigger display. Not impressed so I’m not likely to use it. I miss the Glimp app a bunch. I’ll be watching this forum for news on who’s making a GCM that has a Glimp-type app available. I’ve heard that CTAPPsoftware that created Glimp is working on a Abbott hack. My fingers are crossed.

2 Likes

The “bottom line cost argument” doesn’t really make sense, since the “reader” for the Libre 14-day System (I find it interesting that in the commercials they always emphasize the word “system”) I’m guessing is not that expensive. It’s a one-time purchase also (I assume - I use a Dex myself).” (the razorblade pricing model"). I’m more inclined to think FDA interference, or fear of such on Freestyle’s part.

<warning - policy/semi-politics ahead> The hidden cost of regulation borne even by those who are “playing by the rules” - along with “compliance costs” which tend to be enormous - which political types always seem to forget. (Of course, politicians are the ones who make the rules, so they wouldn’t…)

As for “recent encryption snafus” like the pace-maker thing - someone needs to make clear to “everyone” (in the industry(s) - whoever that might be) that there is a BIG difference between active devices like pacemakers, and passive devices that only read data OUT from the body - like a CGM/BP/etc meter. I suppose there’s the preposterous scenario (however small) that some nefarious person is going to trail you and somehow interfere with your meter’s read-out. Within 10-30 feet probably - maybe more if they have a beam-forming transmitter and exquisite aim.

That is preposterous - but even THAT wouldn’t require encrypting the data - it just requires authentication. Actually, that would be required ANYWAY, as it’s quite possible that two people with Libre transmitters will be in range of each other.

Now, if Freestyle/Abbott also have a CGM product (or a you-scratch-my-back-I’ll-scratch-yours agreement with Dexcom). Then it could be about the bottom line.

Could the JDRF be “persuaded” somehow to use their influence and/or sue (?!) Abbott regarding this. Or at least, get a straight answer out of them about why they did it? And if it is FDA meddling, a straight answer from them about why an “information only” device needs such encryption.

(I suppose if the sensor itself needs to be calibrated, there’s a chance for a nefarious person to interfere with that. But again, that’s about authentication that’s it’s really the user’s PDM that’s sending the calibration (the finger-stick BG value).

The JDRF should be interested in this as part of their Open Protocol Initiative - which I know nothing about other than it’s support of/by the Tidepool Loop project.

1 Like

I’m pretty sure, since there’s not justification for encryption coming out of Abbott, that this issue is strictly about control and greed. Abbott doesn’t want to see a generic sensor on the market, for sure. As you pointed out, there’s no security issue about Near Field Communications (NFC) read only devices. I mean, the communications range is what, less than 3"? If Abbott tries to justify encryption, or than greed, they are lying. The only reason I use it is because it works (provided I keep it on my arm with some surgical tape since the sensor falls off the adhesive) and after I complained about a co-pay to my Medicare suppilent provder , I pay nothing for the sensors.

The FDA does mandate secure communication for iCGM designation. Dexcom of course has the iCGM designation and I think the only thing they are using is the encryption that comes with BLE. Per the recent Abbott/Tandem agreement, it appears that Abbott needs to get iCGM designation also in order to move forward.

Has anybody verified what Abbott is using and is it possible they are simply using standard BLE encryption also? Same as Dexcom?

Per FDA Class II special controls for iCGM: (snippet)

(2) Design verification and validation must include a detailed strategy to ensure secure and reliable means of iCGM data transmission to provide real-time glucose readings at clinically meaningful time intervals to devices intended to receive the iCGM glucose data.

Ah - I hadn’t thought of the generic sensor argument. Though, if someone made a generic sensor, wouldn’t the programming basically be incidental - or is it that insurance companies/hospitals aren’t going to pay for/use anything other than “official” Freestyle device/app/web-portal data, instead of say, accepting Nightscout reports directly from the patient?

I guess such a “DIY CGM” would basically figuring out where to get the sensor “fiber”? Is that basically a tube impregnated with enough glucose oxidase to last a long while? (Up to a month I read from someone using the Dexcom G5 said.)