Search

EP-4494311-B1 - PROXIMITY PAIRING AND SECURITY OF A CONTINUOUS ANALYTE SENSOR SYSTEM

EP4494311B1EP 4494311 B1EP4494311 B1EP 4494311B1EP-4494311-B1

Inventors

  • BARRERAS, Jorge R.
  • SANCHEZ BAO, Reinier

Dates

Publication Date
20260506
Application Date
20230315

Claims (15)

  1. A method for pairing an analyte sensor system and one or more display devices, the method comprising: broadcasting, from the analyte sensor system, for an initial connection, a low power general advertisement including an indication indicating the low power general advertisement is for proximity pairing; receiving, from a first display device of the one or more display devices, a connection request message in response to the low power general advertisement; performing an authentication procedure with the first display device, but skipping performing a user-centric authentication protocol in response to the indication indicating the low power general advertisement is for proximity pairing; and pairing and bonding with the first display device based on successful authentication with the first display device.
  2. The method of claim 1, wherein the low power general advertisement is broadcast at a power level of -40 dBm or lower.
  3. The method of claim 1, wherein the indication indicating the low power general advertisement is for proximity pairing comprises a flag in the low power general advertisement.
  4. The method of claim 1, further comprising: broadcasting, from the analyte sensor system a higher power general advertisement for connecting with a second display device, wherein the higher power general advertisement is broadcast at a higher power than the low power general advertisement, and wherein the higher power general advertisement includes an indication indicating the higher power general advertisement is not for proximity pairing.
  5. The method of claim 4, further comprising, in response to the indication indicating that the higher power general advertisement is not for proximity pairing, performing an authentication phase with the second display device using both a password authenticated key agreement, PAKE, protocol and a public key infrastructure, PKI, protocol.
  6. The method of claim 4 or 5, wherein the higher power general advertisement is broadcast at a maximum power of a transmitter of the analyte sensor system.
  7. The method of claim 1, further comprising: adding the first display device to a whitelist, wherein the whitelist identifies display devices that have previously bonded with the analyte sensor system; broadcasting, from the analyte sensor system, a higher power whitelist advertisement for a reconnection with the first display device, wherein the higher power whitelist advertisement is broadcast at a higher power than the low power general advertisement, and wherein the higher power whitelist advertisement includes a second indication indicating the higher power whitelist advertisement is not for proximity pairing; accepting a reconnection request from the first display device after broadcasting the higher power whitelist advertisement for the reconnection and in response to determining that the first display device is a whitelist device based on the whitelist; and rejecting one or more connection requests from one or more display devices in response to determining that the one or more display devices are not whitelist devices based on the whitelist.
  8. The method of claim 7, wherein the low power general advertisement includes a secondary identifier associated with the analyte sensor system, wherein the secondary identifier associated with the analyte sensor system comprises a Bluetooth low energy (BLE) address with one or more bits flipped.
  9. The method of claim 1, wherein the connection request message from the first display device is received in response to the first display device detecting the indication indicating the low power general advertisement is for proximity pairing.
  10. The method of claim 1, wherein the user-centric authentication protocol comprises a password authenticated key agreement (PAKE) protocol.
  11. The method of claim 10, wherein performing the authentication procedure with the first display device further comprises performing a public key infrastructure (PKI) protocol.
  12. The method of claim 1, wherein performing the authentication procedure with the first display device comprises: exchanging authentication messages with the first display device, at the low power, during the authentication procedure.
  13. The method of claim 1, wherein during the pairing and bonding with the first display device, the analyte sensor system and the first display device use low power transmissions in exchanging message.
  14. The method of claim 1, further comprising: after pairing and bonding with the first display device, sending, to the first display device, analyte data indicative of blood glucose levels from the analyte sensor system.
  15. An analyte sensor system and one or more display devices, the analyte sensor system configured to perform a method according to any of claims 1 to 14.

Description

INTRODUCTION Field The present application relates generally to medical devices such as analyte sensors and, more particularly, to systems, devices, and methods related to wireless communications between analyte sensors (e.g., continuous glucose monitoring (CGM) devices) and one or more display devices. Description of the Related Technology Diabetes is a metabolic condition relating to the production or use of insulin by the body. Insulin is a hormone that allows the body to use glucose for energy, or store glucose as fat. Diabetes mellitus is a disorder in which the pancreas cannot create sufficient insulin (Type I or insulin dependent) and/or in which insulin is not effective (Type 2 or non-insulin dependent). In the diabetic state, the victim suffers from high blood sugar, which causes an array of physiological derangements (kidney failure, skin ulcers, or bleeding into the vitreous of the eye) associated with the deterioration of small blood vessels. A hypoglycemic reaction (low blood sugar) may be induced by an inadvertent overdose of insulin, or after a normal dose of insulin or glucose-lowering agent accompanied by extraordinary exercise or insufficient food intake. Conventionally, a diabetic patient carries a self-monitoring blood glucose (SMBG) monitor, which may require uncomfortable finger pricking methods. Due to the lack of comfort and convenience, a diabetic will normally only measure his or her glucose level two to four times per day. Unfortunately, these time intervals are spread so far apart that the diabetic will likely be alerted to a hyperglycemic or hypoglycemic condition too late, sometimes incurring dangerous side effects as a result. In fact, it is unlikely that a diabetic will take a timely SMBG value, and further the diabetic will not know if his blood glucose value is going up (higher) or down (lower), due to limitations of conventional methods. Consequently, a variety of non-invasive, transdermal (e.g., transcutaneous) and/or implantable sensors are being developed for continuously detecting and/or quantifying blood glucose values. Generally, in a diabetes management system, these sensors wirelessly transmit raw or minimally processed data for subsequent display and/or analysis at one or more remote devices, which can include a remote device, a server, or any other types of communication devices. A remote device, such as a remote device, may then utilize a trusted software application (e.g., approved and/or provided by the manufacturer of the sensor), which takes the raw or minimally processed data and provides the user with information about the user's blood glucose levels. Because diabetes management systems using such implantable sensors can provide more up-to-date information to users, they may reduce the risk of a user failing to regulate the user's blood glucose levels. Using a wireless connection between a transcutaneous analyte sensor and one or more display devices based on certain existing wireless communication protocols, however, may expose the sensor and/or the display devices to safety, integrity, privacy, and availability issues (e.g., sensor and/or display devices may become unavailable as a result of malicious attacks, etc.). As an example, an attacker may use a malicious device that impersonates the sensor to connect with and send inaccurate data (e.g., inaccurate blood glucose levels) to a user's display device to cause harm to the user. In another example, an attacker may use a malicious device to impersonate the user's display device, or the software application, and execute the software application on the user's display device to gain access to the user's sensor. In such an example, the attacker may receive the user's sensor data (e.g. blood glucose levels), thereby, violating the patient's privacy. Also, in such an example, the attacker may transmit data to the sensor that may cause malfunction of the sensor or sensor electronics. For example, a malicious or an impersonated display device may inaccurately calibrate the sensor, thereby causing the sensor to provide inaccurate blood glucose measurements. Further, in the same example, the attacker may disrupt a communication session that the user has already established between the user's sensor and the user's own display device that executes a trusted software application. In certain other examples, a user themselves may use an unauthenticated software application, that may be executed on the user's own display device, to connect with the user's sensor. In such an example, the unauthenticated software application may not include the necessary safety measures needed to ensure the user's data security and safety. US 2020/397354 A1 relates to methods and apparatus for communication among display devices and sensor electronics unit in an analyte monitoring system. The analyte monitoring system may include a sensor that is configured to perform measurements indicative of analyte levels. The sensor may be communica