Cybersecurity Snapshots #19 - Are Smart Home Gym Equipment and Health and Fitness Apps Secure?

Cybersecurity Snapshots #19 -

Are Smart Home Gym Equipment and Health and Fitness Apps Secure?

Due to the coronavirus, the use of smart home gym equipment and health and fitness app downloads have skyrocketed. For example, Peloton stock soared more than 400 percent in 2020, Mirror ended 2020 with $150 million in revenue, up from a previously projected $100 million, and Tonal reported a staggering 700 percent year-over-year increase in sales in 2020. According to researchers from Sensor Tower, from January through November of 2020, approximately 2.5 billion health and fitness apps were downloaded worldwide, a 47 percent jump from the same period in 2019. Researchers believe that the use of smart home gym equipment and health and fitness app downloads will keep increasing in the future, which raises the question of how secure they are against cyberattacks?

Security researchers from the Pen Test Partners in May discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users. The researchers stated that the mobile, web application, and back-end APIs had several endpoints that revealed users' information to authenticated and unauthenticated users. Among the potentially exposed data were user and instructor IDs, group membership, location, workout stats, gender, age, and whether users are in the studio or not. The security researchers also found that the security flaws were so bad that they leaked information even for users in privacy mode. A month later, researchers from McAfee's Advanced Threat Research (ATR) team discovered that the popular Peloton Bike+ and Peloton Tread exercise equipment contained a security vulnerability that could expose gym users to a wide variety of cyberattacks. According to the researchers, the vulnerability would allow a hacker to gain remote root access to the Peloton's "tablet." The tablet is the touch screen installed on the devices to deliver interactive and streaming content. From there, a diligent hacker could install malware, intercept traffic and user's personal data, and even control the Bike+ or Tread camera and microphone over the internet. McAfee noted that to exploit the vulnerability, an attacker would need either physical access to the workout machines or access during any point in the supply chain (from construction to delivery).  Researchers believe that a full investigation should be conducted by Peloton to improve their security, especially now that well-known individuals are openly using this service.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware like bikes, rowers, and a treadmill as a cheaper alternative for members to exercise at home. Echelon also has an app that lets members join virtual classes. At Pen Test Partners, security researchers found that Echelon's API allowed them to access the account data, including name, city, age, sex, phone number, weight, birthday, workout statistics, and history of any other member in a live or pre-recorded class. The API also disclosed some information about members' workout equipment, such as its serial number.  The researchers also found another bug that allowed members to pull data on any other member because of weak access controls on the API. The researchers stated that this bug made it easy to capture user account IDs and scrape account data from Echelon's servers.

Arxan, a Maryland-based tech firm, looked at 71 health and fitness apps from the U.S., U.K., Germany, and Japan. The researchers found that a whopping 97 percent of the apps they looked at lacked binary protection, 79 percent had insufficient transport layer protection, and 56 percent experienced unintended data leakage. The researchers stated that many of the bugs expose the apps to tampering, making it easier for attackers to reverse engineer apps or potentially leak users' personal information. Researchers also found that 86% of health apps they reviewed had at least two critical vulnerabilities. The researchers also conducted a survey of 1,083 individuals, comprised of health app users and IT decision-makers, who produce health apps.  The survey results revealed that 55% of users of health apps expected their apps to be hacked in the next six months.

Researchers have stated that it is hard to get companies who create smart home gym equipment and health and fitness apps to respond to disclosures of vulnerabilities promptly. Sometimes the researchers disclosing the vulnerabilities have to contact the press to get a response from the company. As the use of smart home gym equipment and health and fitness apps continues to grow, users may require the companies behind the equipment and health and fitness apps to take cybersecurity more seriously.