Echelon, ever the Peloton copycat, also left riders’ info exposed

At-home workout company Echelon had poor security that allowed anyone to access riders’ account information including name, city, age, phone number, weight, and other personal data. That’s according to cybersecurity research firm Pen Test Partners, which says it discovered and reported the flaw to Echelon back in January.

TechCrunch, which first reported on the news, was told by Echelon that it has since patched the vulnerability. The company competes with Peloton as a cheaper alternative and makes a range of hardware including bikes, rowers, and a treadmill. It recently added the Reflect, a “fitness mirror” that’s a clear imitation of Mirror.

Copying to the extreme — Echelon has been criticized in the past as a Peloton copycat for making machines that look so similar. But maybe it copied a bit too much, because today’s news follows on reports earlier this month that Peloton had similarly lax security when Pen Test discovered that anyone could use that company’s API to make “unauthorized requests for user account data.”

Normally, APIs that provide access to personally identifiable information are supposed to check whether or not a request is authorized with a valid token generated by the relevant user account. But neither Peloton nor Echelon were seemingly doing that — inserting any username into a simple programming script would return the account’s profile information.

Apparently, both companies also dragged their feet on making a fix after being alerted.

Laziness — Cybersecurity isn’t sexy, and it might not seem a necessary thing to worry about when designing stationary exercise machines. Most of the information accessible in an Echelon or Peloton profile isn’t that sensitive. At most, an intruder would get a phone number. But that’s not nothing. Echelon offers live and pre-recorded classes that users can workout to, and Pen Test Partners says the discovered flaw would allow someone to at least find the phone number of any other member in a class.

The pandemic saw a huge surge in purchases of at-home exercise machines, and many important and influential people are known to use them — President Biden used a Peloton before entering the White House. So there is a real threat, and securing an API against unauthorized access is a very rudimentary security measures companies can take. It’s not very difficult, which makes it seem plausible that Echelon and Peloton were just being lazy.