Peloton has hit a pothole. Its API was leaking riders’ private data, it ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but didn’t get around to telling the researcher until he reached out to a cybersecurity journalist for some help.
This is bad news for Peloton, coming just before other, far more horrific news hit the headlines: Namely, on Wednesday, the company recalled all of its treadmills, which have been linked to 70 injuries and the death of one child. It also admitted that it had been wrong to refuse the Consumer Product Safety Commission’s request that it pull the equipment: In April, the CPSC warned consumers to stay off the Peloton Tread+, which “poses serious risks to children for abrasions, fractures, and death.”
The CPSC said that it had received multiple reports of children, and at least one pet, getting trapped, pinned, and pulled under the rear roller. The commission posted a disturbing video showing a child getting pulled under the front rollers (he wasn’t injured). “It is believed that at least one incident occurred while a parent was running on the treadmill, suggesting that the hazard cannot be avoided simply by locking the device when not in use,” the CPSC said. “Reports of a pet and objects being sucked beneath the Tread+ also suggest possible harm to the user if the user loses balance as a result.”
At the time of the CPSC warning, Peloton issued a statement scoffing at the commission’s recall request, calling it “inaccurate and misleading.”
That was two weeks ago. Now, the company has done an abrupt about-face. “I want to be clear, Peloton made a mistake in our initial response to the CPSC’s request,” Peloton CEO John Foley said in a statement. “We should have engaged more productively with them from the outset. For that, I apologize.”
More Problems on the Privacy Front
Peloton is also having a tough week in terms of privacy news. Nobody wants to have their supposedly private profile, age, city, or workout history pop up in a screenshot while they’re pumping their quads on one of Peloton’s pricey bikes. But that’s what happened to TechCrunch’s Zack Whittaker last week: It’s how he came to find out that Pen Test Partners needed a trusted journalist – i.e., him – to get Peloton’s attention.
Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private. As Masters said in a post about the glitch, the leaky API was allowing any user, along with any random internet passersby, to make an unauthenticated request for account data to the API without the API making sure that they had any right to the data. The API enables the bikes to upload data to Peloton’s servers.
The entire list of exposed private details:
- User IDs
- Instructor IDs
- Group Membership
- Location
- Workout stats
- Gender and age
- If they are in the studio or not
That’s not good for any of the company’s riders, of which it has many: Peloton says it has more than 3 million subscribers, with over 1 million of them connected, as in, they pay to synchronize workout classes with their Peloton equipment. But it’s particularly concerning given that one of those members is reportedly President Joe Biden: as the New York Times reported a year ago, the then-presidential candidate started each day by hopping on one of these $1,895, indoor stationary bikes-cum social media platform.
Post-election, cybersecurity watchers raised red flags. As it is, the bikes have built-in cameras and microphones that let riders see and hear each other if they like. Do we really want spies from adversarial nations to be able to peer into the White House workout room? To listen in on the president’s workout, or even to know when, exactly, he’s working out?
In January, Popular Mechanics ran a story questioning the safety of such a setup, with the headline “Why Joe Biden Can’t Bring His Peloton to the White House.” As of March, it wasn’t clear whether the CIA wound up allowing President Biden to move his bike into the White House, though cybersecurity experts told the New York Times that if he wanted it, he could certainly have it – with enough preparation to avoid risks, that is.
But what kind of preparation can you do to protect the president, or anybody, from a leaky API that nobody knows about?
Jason Kent, Hacker in Residence at Cequence Security, told Threatpost in an email on Wednesday that the Feds may have locked down the president’s bike (if, in fact, he now has one in the White House), but that wouldn’t address the security hole of a leaky API. “The profile was built prior to the presidency,” Kent said. “To participate in a ride on a Peloton, you have to be online. Otherwise, you are merely riding a stationary bike (boring). Yes, if they took it offline, that would secure it. Otherwise, I imagine they trusted Peloton’s security statement, as others did.”
What a Leaky Spring
In just the past month alone, leaky APIs have also cropped up in the invitation-only chat app Clubhouse, John Deere and Experian. If those, plus the Peloton leak, are any indication, “We are in for a wild ride of API-driven breaches,” Kent predicted.
But while the leaks grab the headlines, the cause of the leaks – i.e., a misconfigured API – is typically glossed over, he said, because “It’s the plumbing that enabled the leak, and the resulting leak is the ‘news.'” As we see ever more leaks, however, Kent thinks we’ll see more attention paid to these vulnerabilities. As it is, they cover multiple spots on the OWASP API Security Top 10 list of vulnerabilities, he noted: “Weak authentication is #1 and # 5 on the list, ranked in terms of priority and severity,” Kent notes. “Sensitive data exposure is #3.”
As far as the damage threat actors can do with the data, it varies on what the nefarious have in mind. “It is location data for specific individuals, so an angry abuser or anyone that is looking to harm someone could get this data and find another person on the system physically,” Kent says.
Particularly alarming is what malicious eavesdroppers might do with a president’s PII: a scenario that underscores the danger of deep fakes, for one. “They could also build fake profiles, execute fake account creation attacks on other apps, look for their username in other apps, use the data in automated attacks,” Kent explained. “Personal data is the critical element in building out cyber attacks – the other two are infrastructure and tools.”
How Can We Stop This API Flood?
The only way to plug the dam is to stop putting everything on the Internet, Kent says. Do we really need connected exercise equipment? Toasters? We could probably live with dumb appliances just fine. We might want to, Kent suggests, given that we’re trusting our data to companies whose strengths don’t necessarily lie in securely storing data. “Companies that make bicycles aren’t the greatest source of trusted data exchanges or data storage, and thus these tools should be locked down as tightly as possible,” he suggests.
Users need to spend time in the security settings and dial them down, Kent says, though how that will help prevent leakage due to API vulnerabilities is anybody’s guess. “Do NOT accept default settings,” Kent told Threatpost. “But even with these efforts, what is being allowed will go through an API, and if the back end of the API – the authentication in this case – is flawed, then the data may be exposed.
“The leaky Peloton API is just the latest example of how hard it can be for API developers to get authentication just right,” Kent continued. “In needing to build an API that allows some users to share information and build community, while respecting those who want privacy by ensuring the data is secure, they have risked all user data. The information might not show in the application itself, but developers and security teams need to also confirm that the APIs themselves conform to the security measures in place. If 2013 was the year of the web attack, 2021 is shaping up to be the year of the API attack. Organizations need to react quickly to first, find all of their API endpoints and secondly, understand their security posture.”
Vulnerability Disclosure Program SNAFU
Masters didn’t anticipate any problem with getting the issue resolved. After all, Peloton has a Vulnerability Disclosure Program. He privately disclosed the flaw to Peloton on Jan. 20, per its program rules. Receipt was acknowledged on the same day. Unfortunately, that’s the last that Pen Testers heard from the company.
Two days later, the penetration-testing company asked for an update and offered help in replicating the problem. Again, it didn’t hear back. But by Feb. 2, the security researchers found that the issue with unauthenticated endpoint had been “silently and partly” resolved.
“User data was now only available to all authenticated Peloton users,” Masters recounted in his post. But it was only a partial fix in that it didn’t solve the problem with the data being exposed to any other Peloton user, he noted.
After 90 days, Pen Test Partners reached out to Whittaker to speak to Peloton on its behalf.
It’s all OK now, according to Masters. On Wednesday, he updated his initial blog post about the situation, saying that he’d finally been contacted directly by Peloton’s CISO.
“Shortly after contact was made with the press office at Peloton we had contact direct from Peloton’s CISO, who was new in post,” Masters wrote. “The vulnerabilities were largely fixed within 7 days. It’s a shame that our disclosure wasn’t responded to in a timely manner and also a shame that we had to involve a journalist in order to get listened to. In fairness to Peloton they took it on the chin, thanked us, and acknowledged their failures in the process. I wish all vendors were so honest and grateful.”
Peloton provided this statement to TechCrunch:
It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.
Threatpost reached out to Peloton to ask whether it planned to inform riders that their private data was leaked and to ask how, exactly, it plans to improve its working relations with security researchers. A representative said that the company had nothing else to say beyond what it already shared with Pen Test Partners and TechCrunch.
05/05/2021 13:19 UPDATE: This article was updated to include input from Jason Kent.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.