This research was made possible thanks to contributions from Joshua Merrill.
Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users.
One of the most prominent brands in the fitness equipment industry is Precor, with over 143,000 machines with internet-connected consoles worldwide. These treadmills were the focus of the research.
Through the discovery of an exposed SSH key pair, the researchers gained root-level access to three versions of the console and demonstrated that the treadmill belts can be stopped remotely, which has the potential to cause harm to users. Additionally, the use of a weak hashing algorithm revealed the password for the root user account. As a result of these findings, four CVEs were issued: CVE-2023-49221, CVE-2023-49222, CVE-2023-49223, and CVE-2023-49224.
Methodology
Devices such as smart treadmills often are connected to the internet to initiate updates, regularly utilizing Over the Air (OTA) files. However, when these devices are not connected to the internet, they still must be able to receive new software. This is commonly done using USB updates, where device owners navigate to a company’s software catalog, download the applicable update, and manually initiate it using a USB drive.
Since the software must be downloaded to complete the update process, it must exist on a local device and, if unprotected, it is able to be analyzed. Protection measures may exist, such as proof of purchase or a password on an encrypted ZIP file. Password-protected downloads must be accessible by product owners, so they are typically listed in discoverable user manuals despite their use as a protection mechanism. Once the software is downloaded, common static reverse analysis tools such as strings or binwalk can be used to identify hardcoded secrets or to navigate device filesystems.
Precor had a few of these security measures in place, but after utilizing published user manuals, the researchers were able to download the software for analysis.
Root account password
The P80, P62, and P82 Precor touch-screen consoles are built on an Android operating system with a Linux-style filesystem. By downloading the software update packages for each of these models, the team was able to get a detailed look into the capabilities of the devices without having access to a treadmill with each type of console.
Initial enumeration involved gathering a list of user accounts. With any Linux system, user account information is stored in the /etc / passwd file, which is readable by any user on the system. Typically, a hash of the user’s password is stored in a different file, /etc / shadow, which is only viewable by the root user — the account with the highest level of access.
In all three software versions, the entry for the root account in /etc / passwd also contained an encrypted version of the root user’s password. While the password can be stored in /etc / passwd, this is not the recommended approach for two reasons. First, the string that appears in the passwd file is hashed using the DES encryption algorithm, which can be cracked in a reasonable amount of time with modern hardware. Second, this file is world-readable, so any user can obtain this hashed password and attempt to crack it.
Figure 1: Contents of /etc / passwd on P82 console
The hashed password for the root account is the same for each console and was cracked in less than 24 hours to reveal the plaintext password. While an exposed password is always a risk, the consoles do not have a traditional Linux login screen or access to a command line interface when installed on a treadmill or other piece of gym equipment, so the team was unable to find a way to use this to log in to the account.
Explore offensive security services
Exposed SSH keys
After noting user accounts on the consoles, enumeration continued by investigating the firewall rules to determine if there were potential avenues for a remote connection. On the P80 console, the oldest among the ones examined, three rules allowed incoming connections of interest: SSH, a secure remote connection program; Precor remote debug, which appeared to be a proprietary method of connecting to the consoles; and ADB, or Android Debug Bridge, which can be used to access Android devices through the command line.
Figure 2: Firewall rules on P80 console
Since a username/password pair had already been obtained, SSH appeared to be the most promising option of the three. However, a line within the SSH configuration file indicated that this protocol used a public/private key pair rather than a password for authentication. This file also suggested that the allowed public key was stored at /etc/ssh/ssh_host_rsa_key.
Figure 3: SSH configuration file showing key location
SSH uses an authorized_keys file to contain a list of public keys for which the associated private key will enable a user to connect to the system. The P62 and P82 console software did not include the firewall rules or the SSH configuration file, but all three versions had an authorized_keys file containing the same public key found in /etc/ssh/ssh_host_rsa_key on the P80.
Figure 4: Authorized public key on P82 console
Figure 5: Authorized public key on P80 console
Figure 6: Authorized public key on P62 console
This was an interesting finding because it meant Precor designed the software so anyone with the private key could connect as root to any of these units and control them remotely. However, this cannot be used by anyone without the corresponding private key and, on its own, does not provide significant risk.
A public and private key pair are commonly stored together in the SSH directory on a system. On the P80, this directory contained two files of interest: ssh_host_rsa_key.pub, which was the public key indicated by the SSH configuration file, and ssh_host_rsa_key. This second file was the private key that would grant access via SSH to any P80, P62, and P82 console.
Figure 7: Finding the private SSH key on P80 console
With this discovery, the researchers believed that they should be able to use SSH to connect to any treadmill with one of the three console types containing the public key. Until this point, this potential attack was based on only the files found in the downloaded software updates for the smart consoles and had not been confirmed on a physical treadmill. The next step was to test with actual equipment — a Precor treadmill with a P62 console. The attack involved two steps:
- Determine the IP of the device. With access to the treadmill, this can be done by using the instructions in the user manual to access the administrative panel that contains connectivity options. Alternatively, this address could likely be determined through a network scan.
- While on the same network as the treadmill, use the found SSH private key to connect to the IP address of the treadmill’s console.
Figure 8: SSH connection to the root account on P62 console
Once connected, the attacker has full access to the file system of the console as the root user and can issue commands. While functions such as adjusting speed and incline cannot be controlled directly through the command line, it is possible to send a reboot command to the console. If the treadmill belt is active, this will cause it to rapidly and unevenly come to a stop while the console shuts down, which poses a risk to anyone exercising on these treadmills.
Suggested security precautions
The vendor was notified of these issues after the conclusion of the project. The vendor’s security team was timely when remediating the vulnerabilities to secure the affected products. Precor has issued patched software for all the console versions affected so that they do not allow external SSH access to the consoles for versions: P82_8.3.2 and P82_9.2.3_M, P62_8.3.2, and P80_7.2.11. Anyone who owns a Precor fitness device with a P82, P62, or P80 console is recommended to update to these versions as soon as possible.
Other precautions that can be taken to protect users of smart gym equipment include ensuring these devices are on a separate, secured network that a potential attacker would not be able to join or disconnecting them from the internet entirely if the online features are not being used.
To learn how IBM X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a briefing here: IBM X-Force Scheduler.
If you are experiencing cybersecurity issues or an incident, contact IBM X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.