Peloton’s ride has hit a pothole! Its API was leaking riders’ private data, it ignored a vulnerability disclosure from a penetration testing company, & it partially fixed the flaw but did not tell the researcher until he reached out to a cyber-security journalist for help.
In addition to this privacy issue, Peloton is now also recalling all treadmills after the equipment was linked to 70 injuries & the death of a child.
This was bad news for Peloton, coming just before other, more damaging news hit the headlines: On Wed., the company recalled all of its treadmills, which have been linked to 70 injuries & the death of 1 child.
Consumer Product Safety Commission
It also admitted that it had been wrong to refuse the US Consumer Product Safety Commission’s request that it withdraw the equipment: In April, the CPSC warned consumers to stay off the Peloton Tread+, which “poses serious risks to children for abrasions, fractures, & death.”
The CPSC said that it had received many reports of children, & at least 1 pet, getting ‘trapped, pinned, & pulled’ under the rear roller. The commission posted an upsetting video showing a child getting pulled under the front rollers (he was not injured).
Treadmill
“It is believed that at least 1 incident occurred while a parent was running on the treadmill, suggesting that the hazard cannot be avoided simply by locking the device when not in use,” the CPSC commented.
“Reports of a pet & objects being sucked beneath the Tread+ also suggest possible harm to the user if the user loses balance as a result.”
Inaccurate & Misleading
At the time of the CPSC warning, Peloton issued a statement rejecting the commission’s recall request, calling it “inaccurate & misleading.”
That was 2 weeks ago. Now, the company has done an abrupt reversal. “I want to be clear, Peloton made a mistake in our initial response to the CPSC’s request,” Peloton CEO John Foley revealed in a statement. “We should have engaged more productively with them from the outset. For that, I apologise.”
Problems on Privacy Front
Peloton is also having a difficult week in terms of privacy news. Nobody wants their supposedly private profile, age, city, or workout history to appear in a screenshot while they are using 1 of Peloton’s bikes. That’s what happened to Tech Crunch’s Zack Whittaker last week: It’s how he came to find out that Pen Test Partners needed a trusted journalist – i.e., him – to get Peloton’s attention.
Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private.
As Masters observed in a post about the glitch, the leaky API was allowing any user, along with any random internet passers-by, to make an unauthenticated request for account data to the API without the API making sure that they had any right to the data. The API enables the bikes to upload data to Peloton’s servers.
Full List of Exposed Private Details
- User IDs
- Instructor IDs
- Group Membership
- Location
- Workout stats
- Gender & age
- If they are in the studio or not
President Biden
That is not good for any of the company’s riders: Peloton says it has more than 3m subscribers, with over 1m of them connected, as in, they pay to synchronise workout classes with their Peloton equipment.
It’s particularly concerning given that 1 of those members is reportedly US President Joe Biden: as the New York Times reported 1 year ago, the then-presidential candidate started each day by going on one of these $1,895, indoor stationary bikes-cum social media platform.
Post US Presidential election, cyber-security watchers raised red flags. As it is, the bikes have built-in cameras & microphones that let riders see & hear each other if they like. Is it good for spies from adversarial nations to be able to look into the White House workout room? To listen in on the US President’s workout, or even to know when, exactly, he is working out?
Popular Mechanics
In Jan., Popular Mechanics ran a story questioning the safety of this setup, with the headline “Why Joe Biden Can’t Bring His Peloton to the White House.” As of Mar., it wasn’t clear whether the CIA allowed President Biden to move his bike into the White House, though cyber-security experts told the New York Times that if he wanted it, he could certainly have it – with enough preparation to avoid risks.
What kind of preparation can you do to protect the President, or anybody, from a leaky API that nobody is aware of?
President’s Bike
Jason Kent, ‘Hacker in Residence’ at Cequence Security, outlined that the US Feds may have locked down the President’s bike (if, in fact, he now has one in the White House), but that would not address the security hole of a leaky API. “The profile was built prior to the presidency,” Kent observed.
“To participate in a ride on a Peloton, you have to be online. Otherwise, you are merely riding a stationary bike (boring). Yes, if they took it offline, that would secure it. Otherwise, I imagine they trusted Peloton’s security statement, as others did.”
Leaky Spring
In just the past month alone, leaky APIs have also appeared up in the invitation-only chat app Clubhouse, John Deere & Experian. If those, plus the Peloton leak, are an indication, “We are in for a wild ride of API-driven breaches,” Kent predicted.
While the leaks seize the headlines, the cause of the leaks – i.e., a misconfigured API – is typically ‘papered-over’, he stated, because “It’s the plumbing that enabled the leak, & the resulting leak is the ‘news.’” As ever more leaks appear, however, Kent thinks we will see more attention paid to these vulnerabilities.
At present, they cover multiple spots on the OWASP API Security Top 10 list of vulnerabilities, he noted: “Weak authentication is #1 & # 5 on the list, ranked in terms of priority & severity,” Kent noted. “Sensitive data exposure is #3.”
Specific Individuals
As far as the damage threat players can do with the data, it varies on what the bad-intentioned have in mind. “It is location data for specific individuals, so an angry abuser or anyone that is looking to harm someone could get this data & find another person on the system physically,” Kent explained.
Particularly alarming is what malicious eavesdroppers might do with a President’s PII: a scenario that underscores the danger of deep fakes.
“They could also build fake profiles, execute fake account creation attacks on other apps, look for their username in other apps, use the data in automated attacks,” Kent continued. “Personal data is the critical element in building out cyber-attacks – the other 2 are infrastructure & tools.”
Stop the API Flood?
The only way to ‘plug the dam’ is to stop putting everything on the Internet, Kent surmises. Do we really need connected exercise equipment? Toasters? We could probably live with dumb appliances just fine. We might want to, Kent suggests, given that we are trusting our data to companies whose strengths do not necessarily lie in securely storing data.
“Companies that make bicycles aren’t the greatest source of trusted data exchanges or data storage, & thus these tools should be locked down as tightly as possible,” he comments.
Security Settings
Users need to spend time in the security settings & dial them down, Kent says, though how that will help prevent leakage due to API vulnerabilities is anybody’s guess. “Do NOT accept default settings,” Kent explained.
“But even with these efforts, what is being allowed will go through an API, & if the back end of the API – the authentication in this case – is flawed, then the data may be exposed.
The Year of the API Attack
“The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right,” Kent continued. “In needing to build an API that allows some users to share information & build community, while respecting those who want privacy by ensuring the data is secure, they have risked all user data.
The information might not show in the application itself, but developers & security teams need to also confirm that the APIs themselves conform to the security measures in place. If 2013 was the year of the web attack, 2021 is shaping up to be the year of the API attack. Organisations need to react quickly to 1st, find all of their API endpoints & secondly, understand their security posture.”
Vulnerability Disclosure
Masters did not see any problem with getting the issue resolved. Peloton does have a Vulnerability Disclosure Program. He privately disclosed the flaw to Peloton on Jan. 20, per its program rules. Receipt was sent on the same day. Unfortunately, that is the last that Pen Testers heard from the company.
2 days later, the penetration-testing company asked for an update & offered help in replicating the problem. Again, it did not hear back. By Feb. 2, the security researchers found that the issue with unauthenticated endpoint had been “silently & partly” resolved.
Authenticated Users
“User data was now only available to all authenticated Peloton users,” Masters recounted in his post. But it was only a partial fix in that it did not solve the problem with the data being exposed to any other Peloton user, he noted.
After 90 days, Pen Test Partners reached out to Whittaker to speak to Peloton on its behalf.
It is all OK now, states Masters. On Wed. he updated his 1st blog post about the situation, saying that he had finally been contacted directly by Peloton’s CISO.
Press Office
“Shortly after contact was made with the press office at Peloton we had contact direct from Peloton’s CISO, who was new in post,” Masters wrote. “The vulnerabilities were largely fixed within 7 days. It is a shame that our disclosure was not responded to in a timely manner & also a shame that we had to involve a journalist in order to get listened to.
In fairness to Peloton, they took it on the chin, thanked us, & acknowledged their failures in the process. I wish all vendors were so honest & grateful.”
Peloton gave a statement to Tech Crunch
‘It is a priority for Peloton to keep our platform secure & we are always looking to improve our approach & process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API & see information that is available on a Peloton profile.
We acted, & addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community & respond more promptly when vulnerabilities are reported.
Over to you Peloton….
We want to thank Ken Munro for submitting his reports through our CVD program & for being open to working with us to resolve these issues.’
Over to you Peloton……..
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/