Wednesday, January 7, 2015

Reactions to the Libre data uploads and a few clarifications

I've received a lot of reactions to my posts about the Libre data dumps to Abbott's US servers. Some of them were highly critical of Abbott's attitude - "Let's sue them" "Let's report them". Others were more relaxed - "Who cares, everyone knows I am diabetic anyway". And non-technical users where a bit confused as far as what the different images and examples really meant. In this post, I will try to clarify some points.

Q: are you sure it really uploads that data?

A: yes, no doubt about it. Analyzing network traffic is not something I invented on my kitchen sink and it is as factual as anything can be.

Q: are you sure Abbott can identify the upload?

A: yes, there is no "technical" doubt that it can be done: linked to the person who purchased the device, see where the device is actually used. Whether Abbott actually does it right now depends on what they do with the data on their servers and how they link their databases.

Q: isn't it only for update purposes?

A: no. For several reasons
  • Abbott could use the other, non encrypted requests it sends to the other server for that purpose. They have two communication channels. How they use them is their choice. The unencrypted open channel could perfectly be used for updates (and may be the one they will use - it seems they will update the computer software through that channel). 
  • Abbott uploads everything that has been entered or collected in the reader. In terms of size and bandwidth, depending on how much you enter in the reader, that is 99.9% to 99.9999% overkill for updating purposes or hardware performance monitoring purposes.
Q: is it intentionally hidden?

A: most likely.
  • If I was to find a software behaving like this in an IT security situation, it would definitely be classified as spyware (imagine a CAD software that would covertly upload the designs you are working on to the CAD program developer). 
  • There is no interface feedback that it is done and the configuration files are intentionally placed in a hidden directory. Typically: if one gives visual feedback (options, status), one may hide the config files to protect them from user error/deletion. If an option is not reachable through an interface, one usually stores a user editable config file with some explanations. Here, everything is hidden and the peculiar design of the program forces you on that hidden path. 
  • Abbott uses two connection channels, one insecure and one "secure", the ex-filtrated data flows on the "secure" channel. To an average user, both channels are "invisible". To an advanced user, the "secure" channel could be visible but its content inaccessible. Abbott may even have thought that the "secure" channel was completely out of reach of users. In any case, there is either an attempt to hide the program's behavior or an attempt to secure it because one knows potentially sensitive data flows on it.

Q: assuming Abbott can but doesn't link data to individuals, is it still a problem ?

A: yes.
  • Even if Abbott isn't doing any linking yet, it could very well decide to do it later. Once uploaded, that data is unlikely to ever disappear. That's a typical issue with all cloud services, but at least they usually give you some control to be forgotten (erase your Google history for example, asking Facebook to forget about you and delete your files). Whether they do it or not and how quickly they do it remains an issue. However, the option is at least nominally present.
  • Even if Abbott doesn't ever link anything, they are, just like Adobe or more recently Sony, Luxleaks and countless others, at the mercy of external hackers or disgruntled employees that could dump tons of data allowing others to do the linking.
  • Even if Abbott is actually unable to do the linking, that anonymous data can be mined to provide information about endocrinology practices and clinics, research projects, competitor clinical trials, etc... Some of it will be detailed in a "scenario" post.

No comments:

Post a Comment