Peloton exercise bikes found exposing user data – company dawdles in its response

Fit for purpose?

Graham Cluley
@gcluley

Peloton exercise bikes found exposing user data

Back in January I wrote a piece explaining why I didn’t think we should worry too much about media reports theorising on the potential of Joe Biden’s Peloton being a security risk.

My view was that the fears of spying on the newly-inaugurated US President via the exercise bike’s microphone and webcam might be overhyped. In short – don’t sweat.

On the same day as I published that article, a little birdie in the infosecurity community privately reached out to me saying that there might be another concern – that Peloton might be leaking personal information about its many customers.

Sign up to our newsletter
Security news, advice, and tips.

The news didn’t land well with me as I had just had my own Peloton delivered, at the recommendation of my equally fat brother who had been exercising on one for some months.

Gulp!

Now, finally, the news is public.

As researchers at Pen Test Partners explains in a blog, Peloton’s API was leaking information about users (their user IDs, location, statistics about workouts, their gender and age, avatar, and so on…)

Furthermore, setting your Peloton account to “private” may have restricted your profile from being viewed within the app or from the bike by anyone other than fellow cyclists you had previously authorised, but didn’t actually prevent anyone from accessing the details via the API.

But why did the news of Peloton’s data goof take so long to become public? It appears that the process of getting Peloton to understand the nature of the problem and them properly fixing it was unnecessarily protracted.

Furthermore, Peloton initially tried to apply silent fixes for the problem – without informing the researchers. Unfortunately those fixes were at first only partially successfully at preventing data from being accessed – still making it available to other Peloton users, rather than the entire world.

Ultimately, the problem was only properly brough to a satisfactory conclusion after a journalist contacted the fitness firm’s PR department.

Don’t ignore reports from vulnerability researchers. Don’t try to silently fix problems without working with them to ensure that you have understood the problem properly. Don’t wait until a journalist is called in to make you take the problem a little more seriously.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.