Echelon is facing the same problem Peloton recently had over rider data being exposed through its API, which wasn’t properly secured. Jan Masters, a security researcher at Pen Test Partners, discovered that Echelon’s API allowed access to the account data of its riders. The data exposed included name, city, age, sex, phone number, weight, birthday, and workout statistics, and history of any other member in a live or on-demand class. The API also included some information about Echelon customers’ workout equipment including serial numbers.
Echelon’s API allows customer devices and apps to talk with Echelon’s servers, and it was designed to check if a device was authorized to access user data by checking for an authorization token. Even without the token present, the API responded to the request.
First report by TechCrunch, Echelon had this comment when presented with the information.
“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information,” said Chris Martin, Echelon’s chief information security officer, in an email.
Ken Munro, founder of Pen Test Partners, first reported the information to Echelon back in January over a Twitter direct message as Echelon doesn’t currently have a process for accepting security vulnerabilities. Despite Echelon claiming the flaw was fixed in January, Munro claims it wasn’t fixed until the middle of April.
Echelon also confirmed it has resolved a bug that allowed users under the age of 13 to sign up for its services. Most companies block access to children under the age of 13 to avoid complying with the Children’s Online Privacy Protection Act, but it was previously possible to still sign up.
As connected fitness continues to grow in popularity, these problems will continue to happen as more people turn their attention to the data transferring across the internet from devices to company servers. Echelon is one of Peloton and iFit primary competitors but undercuts them on price by offering a “bring your own screen” option through the use of an iPad.