Light Dark
June 6, 2024 By Kyri Lea
Anthony Ioppolo
7 min read
Offensive Security
Software Vulnerabilities
X-Force

This research was made possible thanks to contributions from Joshua Merrill.

Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users.

One of the most prominent brands in the fitness equipment industry is Precor, with over 143,000 machines with internet-connected consoles worldwide. These treadmills were the focus of the research.

Through the discovery of an exposed SSH key pair, the researchers gained root-level access to three versions of the console and demonstrated that the treadmill belts can be stopped remotely, which has the potential to cause harm to users. Additionally, the use of a weak hashing algorithm revealed the password for the root user account. As a result of these findings, four CVEs were issued: CVE-2023-49221, CVE-2023-49222, CVE-2023-49223, and CVE-2023-49224.

Methodology

Devices such as smart treadmills often are connected to the internet to initiate updates, regularly utilizing Over the Air (OTA) files. However, when these devices are not connected to the internet, they still must be able to receive new software. This is commonly done using USB updates, where device owners navigate to a company’s software catalog, download the applicable update, and manually initiate it using a USB drive.

Since the software must be downloaded to complete the update process, it must exist on a local device and, if unprotected, it is able to be analyzed. Protection measures may exist, such as proof of purchase or a password on an encrypted ZIP file. Password-protected downloads must be accessible by product owners, so they are typically listed in discoverable user manuals despite their use as a protection mechanism. Once the software is downloaded, common static reverse analysis tools such as strings or binwalk can be used to identify hardcoded secrets or to navigate device filesystems.

Precor had a few of these security measures in place, but after utilizing published user manuals, the researchers were able to download the software for analysis.

Root account password

The P80, P62, and P82 Precor touch-screen consoles are built on an Android operating system with a Linux-style filesystem. By downloading the software update packages for each of these models, the team was able to get a detailed look into the capabilities of the devices without having access to a treadmill with each type of console.

Initial enumeration involved gathering a list of user accounts. With any Linux system, user account information is stored in the /etc / passwd file, which is readable by any user on the system. Typically, a hash of the user’s password is stored in a different file, /etc / shadow, which is only viewable by the root user — the account with the highest level of access.

In all three software versions, the entry for the root account in /etc / passwd also contained an encrypted version of the root user’s password. While the password can be stored in /etc / passwd, this is not the recommended approach for two reasons. First, the string that appears in the passwd file is hashed using the DES encryption algorithm, which can be cracked in a reasonable amount of time with modern hardware. Second, this file is world-readable, so any user can obtain this hashed password and attempt to crack it.

Figure 1: Contents of /etc / passwd on P82 console

The hashed password for the root account is the same for each console and was cracked in less than 24 hours to reveal the plaintext password. While an exposed password is always a risk, the consoles do not have a traditional Linux login screen or access to a command line interface when installed on a treadmill or other piece of gym equipment, so the team was unable to find a way to use this to log in to the account.

Explore offensive security services

Exposed SSH keys

After noting user accounts on the consoles, enumeration continued by investigating the firewall rules to determine if there were potential avenues for a remote connection. On the P80 console, the oldest among the ones examined, three rules allowed incoming connections of interest: SSH, a secure remote connection program; Precor remote debug, which appeared to be a proprietary method of connecting to the consoles; and ADB, or Android Debug Bridge, which can be used to access Android devices through the command line.

Figure 2: Firewall rules on P80 console

Since a username/password pair had already been obtained, SSH appeared to be the most promising option of the three. However, a line within the SSH configuration file indicated that this protocol used a public/private key pair rather than a password for authentication. This file also suggested that the allowed public key was stored at /etc/ssh/ssh_host_rsa_key.

Figure 3: SSH configuration file showing key location

SSH uses an authorized_keys file to contain a list of public keys for which the associated private key will enable a user to connect to the system. The P62 and P82 console software did not include the firewall rules or the SSH configuration file, but all three versions had an authorized_keys file containing the same public key found in /etc/ssh/ssh_host_rsa_key on the P80.

Figure 4: Authorized public key on P82 console

Figure 5: Authorized public key on P80 console

Figure 6: Authorized public key on P62 console

This was an interesting finding because it meant Precor designed the software so anyone with the private key could connect as root to any of these units and control them remotely. However, this cannot be used by anyone without the corresponding private key and, on its own, does not provide significant risk.

A public and private key pair are commonly stored together in the SSH directory on a system. On the P80, this directory contained two files of interest: ssh_host_rsa_key.pub, which was the public key indicated by the SSH configuration file, and ssh_host_rsa_key. This second file was the private key that would grant access via SSH to any P80, P62, and P82 console.

Figure 7: Finding the private SSH key on P80 console

With this discovery, the researchers believed that they should be able to use SSH to connect to any treadmill with one of the three console types containing the public key. Until this point, this potential attack was based on only the files found in the downloaded software updates for the smart consoles and had not been confirmed on a physical treadmill. The next step was to test with actual equipment — a Precor treadmill with a P62 console. The attack involved two steps:

  1. Determine the IP of the device. With access to the treadmill, this can be done by using the instructions in the user manual to access the administrative panel that contains connectivity options. Alternatively, this address could likely be determined through a network scan.
  2. While on the same network as the treadmill, use the found SSH private key to connect to the IP address of the treadmill’s console.

Figure 8: SSH connection to the root account on P62 console

Once connected, the attacker has full access to the file system of the console as the root user and can issue commands. While functions such as adjusting speed and incline cannot be controlled directly through the command line, it is possible to send a reboot command to the console. If the treadmill belt is active, this will cause it to rapidly and unevenly come to a stop while the console shuts down, which poses a risk to anyone exercising on these treadmills.

Suggested security precautions

The vendor was notified of these issues after the conclusion of the project. The vendor’s security team was timely when remediating the vulnerabilities to secure the affected products. Precor has issued patched software for all the console versions affected so that they do not allow external SSH access to the consoles for versions: P82_8.3.2 and P82_9.2.3_M, P62_8.3.2, and P80_7.2.11. Anyone who owns a Precor fitness device with a P82, P62, or P80 console is recommended to update to these versions as soon as possible.

Other precautions that can be taken to protect users of smart gym equipment include ensuring these devices are on a separate, secured network that a potential attacker would not be able to join or disconnecting them from the internet entirely if the online features are not being used.

To learn how IBM X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a briefing here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact IBM X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

 |  |  |  |  | 
Kyri Lea
Hacker, IBM X-Force Red
Anthony Ioppolo
Hacker, IBM X-Force Red

More from Offensive Security
May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

October 24, 2023

AI vs. human deceit: Unravelling the new age of phishing tactics

7 min read - Attackers seem to innovate nearly as fast as technology develops. Day by day, both technology and threats surge forward. Now, as we enter the AI era, machines not only mimic human behavior but also permeate nearly every facet of our lives. Yet, despite the mounting anxiety about AI’s implications, the full extent of its potential misuse by attackers is largely unknown. To better understand how attackers can capitalize on generative AI, we conducted a research project that sheds light on…

April 5, 2023

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature