Precor's "Smart" Treadmills Vulnerable to Attack, IBM X-Force Researchers Warn

Poor password hashing and an exposed SSH key mean anyone can take over vulnerable treadmills — and even stop them during use.

IBM's X-Force security team has warned of a perhaps-surprising new route for ne'er-do-wells to wreak havoc on your home network: major security vulnerabilities in a popular line of smart treadmills.

"Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress," explain IBM's Kyri Lea and Anthony Ioppolo in a joint post on the topic. "With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users."

The team's focus was on treadmills from Precor, which is estimated to have sold over 143,000 of its internet-connected smart exercise devices to date. The problem: the Android-based smart consoles that provide the treadmills with their connectivity come with a major security vulnerability in the form of an exposed key pair for Secure Shell (SSH) connectivity — allowing attackers to connect to the treadmills and gain root access.

That's a major problem for general network security: by exploiting these vulnerabilities, attackers can use the treadmill as a jumping-off point for exploiting the network further — or simply as another node in a botnet. The vulnerabilities could have a more direct, and dramatic, impact too: IBM's researchers found that it was possible for an attacker to stop the treadmill belt remotely, which could potentially result in injury to its user.

"Precor has issued patched software for all the console versions affected so that they do not allow external SSH access to the consoles for versions: P82_8.3.2 and P82_9.2.3_M, P62_8.3.2, and P80_7.2.11," Lea and Ioppolo explain of the company's response to the team's findings. "Anyone who owns a Precor fitness device with a P82, P62, or P80 console is recommended to update to these versions as soon as possible."

More information on the researcher is available on IBM's Security Intelligence blog.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire:
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles