Thu | May 6, 2021 | 11:26 AM PDT

With most gyms closed for the majority of the past year, people have been finding new ways to get their workouts in from the comfort of their own home.

During the pandemic, one of the more popular companies known for its in-home workout equipment has been Peloton. Its stock price skyrocketed from $30 per share at the beginning of 2020 to $150 per share at the end.

But is Peloton safe and secure in your home? And in this case, we are talking about physical and cybersecurity, as well as data privacy.

Let's start with the physical side of things.

Peloton recalls 'Tread' and 'Tread+' products

In April, the American Consumer Product Safety Commission (CPSC) warned consumers of "the danger of popular Peloton Tread+ exercise machine after multiple incidents of small children and a pet being injured beneath the machines."

There was even a 6-year-old child who died after being pulled under the back end of the treadmill.

Peloton originally pushed back against the CPSC, saying its claims were misleading and that there was "no reason to stop using the Tread+, as long as all warnings and safety instructions are followed."

Flash forward to this week, as the company has agreed to comply with the CPSC and made the decision to recall its Tread and Tread+ products.

Here is Peloton CEO John Foley on the recall:

"The decision to recall both products was the right thing to do for Peloton's Members and their families. I want to be clear, Peloton made a mistake in our initial response to the Consumer Product Safety Commission's request that we recall the Tread+. We should have engaged more productively with them from the outset. For that, I apologize. Today's announcement reflects our recognition that, by working closely with the CPSC, we can increase safety awareness for our Members."

After announcing the recall, the company's stock price fell about 13% to $83.50 per share.

Now, let's talk about a cyber vulnerability the company has been dealing with—one that was apparently exposing private customer data for quite some time.

Cybersecurity and privacy concerns for Peloton

Recently, security researcher Jan Masters discovered that anyone could access personal information about millions of Peloton customers.

"An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. Information disclosed included:

•  User IDs
•  Instructor IDs
•  Group membership
•  Location
•  Workout stats
•  Gender and age
•  If they are in the studio or not"

So this pentester found the problem and reported it to Peloton, great. But what did Peloton do about this? We like the summary from TechCrunch:

"Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

But that deadline came and went, the bug wasn't fixed, and Masters hadn't heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again."

And the security researcher also shared a timeline of everything that happened on his blog post about the incident:

  • 20 January 2021: disclosed privately to Peloton, as per their VDP.
  • 20 January 2021: receipt acknowledged. This is the last we heard from Peloton.
  • 22 January 2021: we requested an update and offered assistance replicating the vulnerability. No response.
  • 2 February 2021: unauthenticated API endpoint issue was silently and partly resolved—user data was now only available to all authenticated Peloton users. Er…?
  • 2 February 2021: we asked for an update, given the silent fix. No response.

In May 2021, Masters says Peloton finally addressed the vulnerability.

"In fairness to Peloton they took it on the chin, thanked us, and acknowledged their failures in the process. I wish all vendors were so honest and grateful."

The significance of the API

This recent issue with Peloton highlights how crucial APIs can be for operating an organization and its products. This definition from MuleSoft sums it up well:

"API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. Each time you use an app like Facebook, send an instant message, or check the weather on your phone, you're using an API."

Michael Isbitski, a Technical Evangelist at Salt Security, explains more about the modern importance of APIs and the associated risks:

"APIs are the heart of applications, powering business functionality and serving up data. Oftentimes, organizations build or integrate APIs, without fully considering the abuse cases of the APIs.

Controlling API consumers is difficult, particularly in the world of public, consumer-focused applications. They are built to be accessible by design in order to increase adoption and grow the business of the organization.

Organizations must protect the APIs monitoring consumption continuously in order to take such malicious activity as content scraping or authorization bypasses.

API security issues can also expose organizations to regulatory penalties, since many standards and legislation, including GDPR and CCPA, explicitly define types of PII that must be protected. This includes phone numbers and account identifiers. Even seemingly innocuous types of data can be combined to uniquely identify individuals and impact privacy."

It's been a rough ride for Peloton lately in both physical and cyber security.

But from the sound of it, the organization has now taken steps to improve both of these things.

Comments