Did weak wi-fi password lead the police to our door?
By Jane Wakefield
After a year of lockdowns, home schooling and a bout of Covid, Kate and Matthew (not their real names) were hoping for better times as 2021 dawned.
Instead, one January morning, there came a knock on the door from the police who were investigating a very serious crime, involving images of child abuse being posted online.
The couple insisted they had nothing to do with it.
But the next few months were utter hell as they attempted to clear their names.
And it was only when the case was dropped in March, with no further action, that they realised the most likely explanation for the false accusation was their wi-fi router - and its factory-set password.
Echelon exposed riders’ account data, thanks to a leaky API
Image Credits: Echelon (stock image)
Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.
Fitness technology company Echelon, like Peloton, offers a range of workout hardware bikes, rowers and a treadmill as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.
But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data including name, city, age, sex, phone number, weight, birthday and workout statistics and history of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.
Newly Patched Peloton API Flaws Exposed Users Private Data
May 20, 2021
Compliance
HealthInfoSec) • May 6, 2021
Photo: Peloton
Security researchers say API flaws could have exposed the private data of millions of Peloton fitness equipment online service users for months before they were recently patched.
The vulnerability issues emerged the same week that Peloton announced the voluntary recalls of two of its treadmills due to serious safety concerns.
In a blog posted Wednesday, security consultancy Pen Test Partners says that in January its researchers notified Peloton via its vulnerability disclosure site about flaws in an endpoint API.
The flaws could allow unauthenticated individuals to view sensitive information for all Peloton users, including snooping on live class statistics, even when users chose private mode settings for their account profiles, Pen Test Partners says.
Thu, May 6th 2021 8:12pm
Timothy Geigner
Peloton is, as they say, having a rough week. While the company has been something of a pop culture darling for several years, it also got a nice boost from this lovely COVID-19 pandemic we ve all been suffering through for more than a year now. Still, no company gets through its full lifecycle unscathed and this week has been a week I m certain the Peloton folks would love to forget. We ll get started with the less-Techdirt centric part of this, which is that Peloton recently had to recall two of its treadmills after it turns out those treadmills occasionally enjoy eating people, especially very young children.