X-Force Discovers New Vulnerabilities in Smart Treadmill
upstart writes:
X-Force discovers new vulnerabilities in smart treadmill:
Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users.
One of the most prominent brands in the fitness equipment industry is Precor, with over 143,000 machines with internet-connected consoles worldwide. These treadmills were the focus of the research.
Through the discovery of an exposed SSH key pair, the researchers gained root-level access to three versions of the console and demonstrated that the treadmill belts can be stopped remotely, which has the potential to cause harm to users. Additionally, the use of a weak hashing algorithm revealed the password for the root user account. As a result of these findings, four CVEs were issued: CVE-2023-49221, CVE-2023-49222, CVE-2023-49223, and CVE-2023-49224.
Devices such as smart treadmills often are connected to the internet to initiate updates, regularly utilizing Over the Air (OTA) files. However, when these devices are not connected to the internet, they still must be able to receive new software. This is commonly done using USB updates, where device owners navigate to a company's software catalog, download the applicable update, and manually initiate it using a USB drive.
Since the software must be downloaded to complete the update process, it must exist on a local device and, if unprotected, it is able to be analyzed. Protection measures may exist, such as proof of purchase or a password on an encrypted ZIP file. Password-protected downloads must be accessible by product owners, so they are typically listed in discoverable user manuals despite their use as a protection mechanism. Once the software is downloaded, common static reverse analysis tools such as strings or binwalk can be used to identify hardcoded secrets or to navigate device filesystems.
[...] The P80, P62, and P82 Precor touch-screen consoles are built on an Android operating system with a Linux-style filesystem. By downloading the software update packages for each of these models, the team was able to get a detailed look into the capabilities of the devices without having access to a treadmill with each type of console.
Read more of this story at SoylentNews.