Comment by duban
1 month ago
I’m aware of a few people working on REing the Omnipod 5. The furthest issue that I have seen is that when a PDM/Omnipod 5 app signs into your insulet id, it gets a private key from the API which is stored in the keychain (and uses SSL pinning to prevent MiTM retrieval of the private key). When pairing with the pod they exchange public keys and then a derived key from the devices private key+pods public keys, but haven’t been able to get a copy of a private key yet to make further progress.
Anyway to follow the progress? I attended the Nightscout conference and asked around regarding this but no one really knew of any group to follow. Or really knew of the latest developments on this effort.
I am not aware of any public groups to follow the progress, I have just met a few people on the Loop Zulip and have talked with them every few months whenever people have time to look into it.
I'm thinking we probably need to get more organized and start picking up the pace with this. There are rumors, which of course I am not sure how credible, but word is that the Dash will be discontinued soon. Maybe we can add another channel to the Zulip to try to get things moving.
Was going to ask the something. And also, so the omnipod app is not using android attestation but stores private key it got from omnipod server?
It seems to use the play integrity API when communicating with Insulet's servers which provide a private key to the PDM/app once it was registered with the user's account. However since the Pod doesn't have access to the internet, it has no way to check the play integrity signature AFAIK, so instead it checks that the certificate that the PDM/app presents to it is issued from the cert chain that it trusts.