from the spinning-in-circles dept
Peloton is, as they say, having a rough week. While the company has been something of a pop culture darling for several years, it also got a nice boost from this lovely COVID-19 pandemic we’ve all been suffering through for more than a year now. Still, no company gets through its full lifecycle unscathed and this week has been a week I’m certain the Peloton folks would love to forget. We’ll get started with the less-Techdirt centric part of this, which is that Peloton recently had to recall two of its treadmills after it turns out those treadmills occasionally enjoy eating people, especially very young children.
Peloton has received at least 72 reports of adults, children, pets and/or objects getting dragged under their Tread+ treadmill. In those incidents, 29 children suffered injuries, which included second- and third-degree abrasions, broken bones, and lacerations, the US Consumer Product Safety Commission noted.
In February, a father reported to the CPSC that his 3-year-old son was pulled under a Tread+ and trapped. When the father discovered his son and was able to free him, the toddler was pulseless and not breathing, according to the report. Fortunately, the boy was resuscitated, but he “now has significant brain injury.” The boy had tread marks on his back matching the slats of the Tread+, as well as a neck injury, and petechiae (small blood spots) on his face, presumably from blood flow being cut off.
When Peloton learned of the “unthinkable” death of the 6-year-old in March, Peloton CEO John Foley sent a note to customers noting the “tragic accident” and highlighting safety warnings for its treadmills. The March 18 note cautioned customers to “keep children and pets away from Peloton exercise equipment at all times.”
Those warnings were glaringly insufficient and the CPSC basically told people to stop using the product. In mid-April, Peloton’s CEO informed customers that the company was aware of the CPSC advice, but that the company was not planning to stop selling the treadmills at all. Instead, the company essentially said that if the product warnings were adhered to, there was no problem. It was only this week when the company admitted that this was a mistake in approach and issued a recall for the two treadmills in question. That it should have done so, and subsequently added physical protection to its products to avoid all of this, really should have been painfully obvious once we got to the part where a 3 year old suffered lifelong injuries and treadmarks across his back and another child… you know… died.
But the troubles for the company keep on coming. The most recent news is that security researchers found that Peloton had exposed customer data to, well, basically anyone with a little technical know-how and then tried to keep the whole thing silent with an enormously insufficient “fix.”
Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.
The reporting indicates that this exposure included customer information such as their user IDs, group memberships, workout information, age, gender, weight, and more. You know, probably not the sort of thing customers that set their profiles to private while trying to exercise and/or lose weight would want exposed to anyone that wanted to take a look. The APIs apparently required no authentication. When Pen Test Partners reached out to the company and informed them of all of this, the company immediately acknowledged the information… and then did nothing for two weeks.
Two weeks later, the Peloton rolled out a half-fix without informing anyone.
Rather than providing the user data with no authentication required at all, the APIs made the data available only to those who had an account. The change was better than nothing, but it still let anyone who subscribed to the online service obtain private details of any other subscriber. When Pen Test Partners informed Peloton of the inadequate fix, they say they got no response. Pen Test Partners researcher Ken Munro said he went as far as looking up company executives on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it.
“I was pretty pissed by this point, but figured it was worth one last shot before dropping an 0-day on Peloton users,” Munro told me. “I asked Zack W to hit up their press office. That had a miraculous effect – within hours I had an email from their new CISO, who was new in post and had investigated, found their rather weak response and had a plan to fix the bugs.”
This doubling up of a callous response to the physical and virtual safety of its own customers is a horrible look for Peloton. Again, with the exception of a possibly ill-conceived advertisement campaign a few years back, this company is an absolute media darling with a fair amount of good will built up for itself. Simply by not taking its customer’s safety seriously, that good will seems to be pretty seriously at risk.
And, it’s worth noting, breaches and exposures like this almost always turn out to be more serious than first reported. Maybe that won’t be the case this time. Or maybe Peloton’s bad time is about to get even worse.