Search

EP-4740858-A2 - PROXIMITY PAIRING AND SECURITY OF A CONTINUOUS ANALYTE SENSOR SYSTEM

EP4740858A2EP 4740858 A2EP4740858 A2EP 4740858A2EP-4740858-A2

Abstract

Techniques and protocols for facilitating wireless secure communications between a sensor system and one or more other devices are disclosed. In certain embodiments, the techniques and protocols include secure proximity pairing techniques with reduced power. A method for pairing an analyte sensor system and one or more display devices includes broadcasting, from the analyte sensor system, for an initial connection, a low power general advertisement including an indication indicating the low power general advertisement is for proximity pairing. The method includes receiving, from a first display device, a connection request message in response to the low power general advertisement; performing an authentication procedure with the first display device; and pairing and bonding with the first display device based on successful authentication with the first display device.

Inventors

  • BARRERAS, Jorge R.
  • SANCHEZ BAO, Reinier

Assignees

  • DexCom, Inc.

Dates

Publication Date
20260513
Application Date
20230315

Claims (13)

  1. An analyte sensor system and one or more display devices, the analyte sensor system comprising: a transceiver configured to: broadcast, for an initial connection, a low power general advertisement including an indication indicating the low power general advertisement is for proximity pairing; and receive, from a first display device of the one or more display devices, a connection request message in response to the low power general advertisement; and at least one memory comprising executable instructions; at least one processor in data communication with the at least one memory and configured to execute the instructions to: perform an authentication procedure with the first display device; and pair and bond with the first display device based on successful authentication with the first display device.
  2. The analyte sensor system of claim 1, wherein: the at least one processor is configured to add the first display device to a whitelist, wherein the whitelist identifies display devices that have previously bonded with the analyte sensor system; the transceiver is configured to broadcast a higher power whitelist advertisement for a reconnection with the first display device, wherein the higher power whitelist advertisement is broadcast at a higher power than the low power general advertisement, and wherein the higher power whitelist advertisement includes a second indication indicating the higher power whitelist advertisement is not for proximity pairing; and the at least one processor is configured to: accept a reconnection request from the first display device after broadcasting the higher power whitelist advertisement for the reconnection and in response to determining that the first display device is a whitelist device based on the whitelist; and reject one or more connection requests from one or more display devices in response to determining that the one or more display devices are not whitelist devices based on the whitelist; and wherein the higher power whitelist advertisement includes a primary identifier associated with the analyte sensor system.
  3. The analyte sensor system of claim 2, wherein the primary identifier comprises a manufacturer assigned Bluetooth low energy (BLE) address.
  4. The analyte sensor system of claim 1, wherein the transceiver is configured to: broadcast a second low power general advertisement for connecting with a second display device, the second low power general advertisement including a second indication indicating the second low power general advertisement is for proximity pairing.
  5. The analyte sensor system of claim 4, wherein the second low power general advertisement includes a secondary identifier associated with the analyte sensor system.
  6. The analyte sensor system of claim 5, wherein the secondary identifier associated with the analyte sensor system comprises a Bluetooth low energy (BLE) address with one or more bits flipped.
  7. The analyte sensor system of claim 4, wherein the at least one processor is configured to: accept a connection request from the second display device after broadcasting the second low power general advertisement and in response to determining that the second display device is not a whitelist device; and reject one or more connection requests from one or more display devices in response to determining that the one or more display devices are whitelist devices.
  8. The analyte sensor system of claim 7, wherein the at least one processor is configured to: determine that the second display device is not a previously whitelisted device and that the one or more display device are previously whitelisted devices based on a whitelist maintained at the analyte sensor system.
  9. The analyte sensor system of claim 7, wherein the at least one processor is configured to: determine that the second display device is not a previously whitelisted device and that the one or more display device are previously whitelisted devices based on a whitelist indication in the connection request and the one or more connection requests.
  10. The analyte sensor system of claim 1, wherein the connection request message from the first display device is received in response to the first display device determining the analyte sensor system is within a threshold proximity range of the first display device.
  11. The analyte sensor system of claim 1, where the at least one processor being configured to perform the authentication procedure with the first display device comprises the at least one processor being configured to: skip performing a user-centric authentication protocol in response to the indication indicating the low power general advertisement is for proximity pairing.
  12. The analyte sensor system of claim 11, wherein the user-centric authentication protocol comprises a password authenticated key agreement (PAKE) protocol.
  13. The analyte sensor system of claim 12, wherein the at least one processor being configured to perform the authentication procedure with the first display device comprises the at least one processor being configured to: skip the PAKE protocol; and perform a public key infrastructure (PKI) protocol.

Description

Cross-Reference to Related Applications This application claims benefit of and priority to U.S. Provisional Application No. 63/269,460, filed March 16, 2022, which is hereby assigned to the assignee hereof and hereby expressly incorporated by reference herein in its entirety as if fully set forth below and for all applicable purposes. INTRODUCTION Field The present application relates generally to medical devices such as analyte sensors and, more particularly, to systems, devices, and methods related to wireless communications between analyte sensors (e.g., continuous glucose monitoring (CGM) devices) and one or more display devices. Description of the Related Technology Diabetes is a metabolic condition relating to the production or use of insulin by the body. Insulin is a hormone that allows the body to use glucose for energy, or store glucose as fat. Diabetes mellitus is a disorder in which the pancreas cannot create sufficient insulin (Type I or insulin dependent) and/or in which insulin is not effective (Type 2 or non-insulin dependent). In the diabetic state, the victim suffers from high blood sugar, which causes an array of physiological derangements (kidney failure, skin ulcers, or bleeding into the vitreous of the eye) associated with the deterioration of small blood vessels. A hypoglycemic reaction (low blood sugar) may be induced by an inadvertent overdose of insulin, or after a normal dose of insulin or glucose-lowering agent accompanied by extraordinary exercise or insufficient food intake. Conventionally, a diabetic patient carries a self-monitoring blood glucose (SMBG) monitor, which may require uncomfortable finger pricking methods. Due to the lack of comfort and convenience, a diabetic will normally only measure his or her glucose level two to four times per day. Unfortunately, these time intervals are spread so far apart that the diabetic will likely be alerted to a hyperglycemic or hypoglycemic condition too late, sometimes incurring dangerous side effects as a result. In fact, it is unlikely that a diabetic will take a timely SMBG value, and further the diabetic will not know if his blood glucose value is going up (higher) or down (lower), due to limitations of conventional methods. Consequently, a variety of non-invasive, transdermal (e.g., transcutaneous) and/or implantable sensors are being developed for continuously detecting and/or quantifying blood glucose values. Generally, in a diabetes management system, these sensors wirelessly transmit raw or minimally processed data for subsequent display and/or analysis at one or more remote devices, which can include a remote device, a server, or any other types of communication devices. A remote device, such as a remote device, may then utilize a trusted software application (e.g., approved and/or provided by the manufacturer of the sensor), which takes the raw or minimally processed data and provides the user with information about the user's blood glucose levels. Because diabetes management systems using such implantable sensors can provide more up-to-date information to users, they may reduce the risk of a user failing to regulate the user's blood glucose levels. Using a wireless connection between a transcutaneous analyte sensor and one or more display devices based on certain existing wireless communication protocols, however, may expose the sensor and/or the display devices to safety, integrity, privacy, and availability issues (e.g., sensor and/or display devices may become unavailable as a result of malicious attacks, etc.). As an example, an attacker may use a malicious device that impersonates the sensor to connect with and send inaccurate data (e.g., inaccurate blood glucose levels) to a user's display device to cause harm to the user. In another example, an attacker may use a malicious device to impersonate the user's display device, or the software application, and execute the software application on the user's display device to gain access to the user's sensor. In such an example, the attacker may receive the user's sensor data (e.g. blood glucose levels), thereby, violating the patient's privacy. Also, in such an example, the attacker may transmit data to the sensor that may cause malfunction of the sensor or sensor electronics. For example, a malicious or an impersonated display device may inaccurately calibrate the sensor, thereby causing the sensor to provide inaccurate blood glucose measurements. Further, in the same example, the attacker may disrupt a communication session that the user has already established between the user's sensor and the user's own display device that executes a trusted software application. In certain other examples, a user themselves may use an unauthenticated software application, that may be executed on the user's own display device, to connect with the user's sensor. In such an example, the unauthenticated software application may not include the necessary safety measures needed to ensure the