This research was made possible thanks to contributions from Joshua Merrill.

Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users.

One of the most prominent brands in the fitness equipment industry is Precor, with over 143,000 machines with internet-connected consoles worldwide. These treadmills were the focus of the research.

Through the discovery of an exposed SSH key pair, the researchers gained root-level access to three versions of the console and demonstrated that the treadmill belts can be stopped remotely, which has the potential to cause harm to users. Additionally, the use of a weak hashing algorithm revealed the password for the root user account. As a result of these findings, four CVEs were issued: CVE-2023-49221, CVE-2023-49222, CVE-2023-49223, and CVE-2023-49224.