Peloton’s Bad Day Explained: Recall of Tread & Security Leak Discovered

DSC_8491

Hump day is not going well for Peloton this week. After a successful annual ‘Homecoming’ event last weekend where they made a slew of product announcements, the company announced today they’re recalling Tread & Tread+ treadmills, due to safety issues (which led to the death of one child). This, following weeks of the company resisting calls from the CPSC (Consumer Products Safety Commission) to issue a recall of the Peloton Tread/Tread+, and of course, following the incident in March that led to the death of a 6-year old child, after they were pulled under the treadmill.

However, Peloton’s bad day actually started prior to that, before most in the company’s headquarters in NYC even woke up. A story ran on TechCrunch, which outlined how security researchers had stumbled onto a bug that allowed some activity and profile details to be seen for private profiles. More important to the story though was honestly the fact that it took researchers multiple attempts and eventually involving a media outlet to get Peloton to pay attention to the security researcher’s claims. The actual data leak itself though would probably be classified as relatively minor, in the grand scheme of leaks (more on that in a second).

Let’s just do a quick round-up of both of these. However, for those that are skimming – I’d strongly encourage you to understand the treadmill safety issue here, because frankly, this doesn’t just impact Peloton treadmills.

Peloton Treadmill Recall:

image

Peloton currently offers two treadmills, though, they were both named the same thing at one point. The two models are:

Less expensive – $ 2,495: Peloton Tread
More expensive and bigger – $ 4,295: Peloton Tread+

However, up until last year, the Peloton Tread+ was the Tread, and then they offered a less expensive version, and they renamed the Tread to the Tread+. It’d be like if Apple decided to change the name of your product after you bought it, giving it a +/Plus. It’s confusing.

And in fact, adding to the confusion is that there are actually two different safety issues. For the Tread+ (the bigger one), the main safety concern is that pets/children/objects can be pulled under the treadmill if not properly supervised. The CPSC released a video showing how exactly this occurs with a toddler. The video is hard to watch (the child eventually walks away), but I think it’s super important anyone with a treadmill watch it, as this isn’t limited to just Peloton treadmills:

Again, while Peloton is getting all the attention here, this isn’t limited to Peloton treadmills. The main issue is the gap at the base of the treadmill. And just about any belt or slat system will pull objects under it, especially given the forces and weights these machines have. For example, my treadmill (at the DC Rainmaker Cave) isn’t much different in height or gap, and would likely pull things under it too. Here’s an older image I found in my files of it, showing the gap:

However, some treadmills have bars or covers in place to prevent this. For example, just randomly pulling up Woodway’s main treadmill page, you’ll see how these specific models have bars in place that prevent most objects from being pulled fully under the treadmill. And that’s the key piece here. The main goal isn’t necessarily to prevent belt-burn or such, but rather, to prevent the child/pet from being *pulled under* the treadmill.

image

Versus below, for the Peloton Tread+, you can see there’s no block in place, yet there’s still enough of a gap to then have the belt/slat system pull the object with it, not just to an initial bar under the treadmill about 12” back (like mine above), but likely significantly further along because there’s no secondary blocker that some units have.

Meanwhile, for the Peloton Tread (the cheaper one), somehow the display can fall off and end up injuring the person on the treadmill. How this occurs is relatively mind-boggling to me, but obviously, it’s happened. Whether this is an assembly quality issue or an engineering issue is somewhat beside the point, it’s apparently happening. Here’s the exact wording from Peloton on this one:

“Peloton, in cooperation with the U.S. Consumer Product Safety Commission, is recalling the Tread because the touchscreen console on the Tread can detach and fall, posing a risk of injury to consumers.”

Like, that’s literally the definition of ‘the front fell off’.

On the bright side, very few Peloton Tread (non+) units have been sold – at least in the US. Peloton says 1,050 Peloton Tread units were sold in the US, as they were only on a small pilot program there within certain US cities. Instead, those units were largely sold in the UK & Canada. Peloton has not sold any treadmills in Germany (their other market). Peloton has ceased sales globally on all treadmills. They’re also working on a fix to keep the front from falling off:

“Peloton is implementing a voluntary recall for the Tread in cooperation with the CPSC. We are already working to develop a repair for your Tread touchscreen console and hope that this CPSC-approved repair will be available soon. Until this repair is available, Tread owners can either wait for the repair to be approved in the coming weeks, or they can request a full refund.”

Meanwhile, for the Peloton Tread+, there were 125,000 of those sold in the US. For those folks, Peloton is essentially giving two options:

Option 1: A full refund. Any Peloton Tread+ owner can request a full refund, until November 6th, 2022.

Option 2: Peloton will send someone out to relocate your treadmill to a more safe  (non-kid) location in your home. Remember, this unit is about 500 pounds, so it’s not easily moved by yourself.

Regardless of which option someone chooses, Peloton is also going to roll out a software PIN code. This is in addition to the hardware key that’s required to operate the treadmill. Meaning, ideally, someone would take the key out of the treadmill and put it in a safe place – which prevents the treadmill from operating. But a software pin is a much better solution. The treadmill will automatically lock after use, and then require the PIN code to operate it again. This protects against scenarios where perhaps a parent has to abruptly leave the treadmill mid-workout (to perhaps settle a multi-toddler dispute), and then doesn’t get back to the unit to remember to take the key out.

Peloton says they are working on a hardware modification to the Tread+ as well:

“We are working to develop additional modifications to the recalled Tread+ that will address the hazard of adult users, children and pets being pulled below the Treadmill and suffering serious injury or death. These modifications will be incorporated presented to the CPSC and if approved, will be introduced into the product before Peloton resumes sales. We do not have any additional information about the modifications or any proposed timeline right now.”

Undoubtedly, this will be some form of bar or cover over the back area. But in looking at the existing treadmill back area, this isn’t going to be an easy fix to roll-out, on a product that’s designed to be as sleek as possible. Never mind having to roll this out to 125,000 units (or a portion thereof).

Peloton Data Security Leak:

20210505_205843

Oh no, we’re not done yet today. We’re only halfway there.

Earlier in the day, TechCrunch reported on how a security researcher was able to access profile information for members that were private, as well as access profile information for public members without authorization. The researchers have detailed their work here.

The details that were accessible were: User age, gender, city, weight, workout stats, and whether or not it was the user’s birthday (today).

These are essentially the same stats that are viewable from a user’s profile page, split into those that are seen within a workout, and those that are seen outside a workout. For example, above you can see my Peloton profile page. You’ll see my username (dcrainmaker), my city that I’ve entered manually (Amsterdam), plus all my workouts. Do note that the city is not your actual billing address, it’s just what you put in that public field. Some people don’t put anything, some put random things, like filling out a MySpace profile, it’s not super concrete.

The age and gender are the same as displayed when you tap on someone’s profile from the normal Peloton leaderboard. Here’s an example of a random person I just tapped on right now from a leaderboard of a class this very second:

20210505_210045

You can see that the person has specified themselves as a female, under 20, and living in Toronto. And in this pretty rare case, they also listed what is presumably their full name. Or, it might just be a pseudonym and they might be a 45-year-old dude in Germany. Who knows. Here’s an example of a pile of names from a leaderboard this past weekend:

You’ll note though that one’s actual name isn’t displayed anywhere, nor was their actual location, nor anything else beyond what is normally public information. Except whether or not it was that user’s birthday or not today. The other detail that’s somewhat irrelevant right now, was whether or not the person was taking the class in a Peloton studio, or at home. Given all Peloton studios have been closed for a year, that doesn’t matter too much today.

However – the main gap here is that this was *ALSO* accessible for private profiles, using the Peloton API (or, sorta-API, it’s not really a truly official API).

But that’s also ignoring the fact that it took more than 90 days for Peloton to respond to the security issues, and even then, they were only fixed after TechCrunch reached out to Peloton’s press office, which got the ball moving. According to TechCrunch and the security researchers, it sounds as if the main security lead at Peloton was new to the position and things were still getting put in place.

Undoubtedly, it also sounds like Peloton didn’t have in place procedures to raise security-focused bugs from customer service/support channels to the right internal teams. That’s an important piece for software and hardware companies to have in place, to train support staff to understand when a security researcher (or anyone else) is trying to disclose a security vulnerability. Else, it can get lost in the noise of typical tech support cases.

Peloton provided the following statement to TechCrunch:

“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”

Again, it’s never good to disclose profiles that are set to private, as public. But, in this instance, the severity of the data here is more minor than most data leaks we tend to see. Certainly far less critical than if one’s Strava profile were public when otherwise set to private, as that has very specific details about exactly where someone runs/rides, and likely their exact address information (no, Strava hasn’t had a data leak of that sort yet…and no, people forgetting to add privacy zones doesn’t count. Also, yes, dear god, make a privacy zone around your home, and don’t start your runs/rides from your home – start them a few hundred meters away).

Of course, all of this Peloton’s Bad Day™ will likely be forgotten tomorrow, as conveniently it’s their quarterly earnings call. Undoubtedly they’re going to announce another blockbuster quarter – probably selling more bikes than ever before, with higher subscribers than ever before. Make no mistake, there’s a reason this is announced today, and not tomorrow. By tomorrow, it’ll literally be yesterday’s news.

With that – thanks for reading!

Product Reviews – DC Rainmaker

Leave a Reply