Connected Fitness Devices: The Growing Security RisksForensics Specialist Ondrej Krehel Discusses Top Concerns
At-home fitness gear and other connected health devices pose growing privacy and security risks, says Ondrej Krehel, CEO and founder of cybersecurity and digital forensics firm LIFARS.
For instance, if connected fitness gear is used during exercise in military or police facilities, fitness data about the performance of the team and other information could potentially be accessible to adversaries, he says.
"Many of these locations are trying to limit or stay away from IoT devices" because of the potential risks they pose, he notes.
The New York Times in January reported that prior to his inauguration, the prospect of President Joe Biden using his Peloton bike in the White House was raising security concerns because Peloton tablets have built-in cameras and microphones that allow users to see and hear one another if they choose (see: Newly Patched Peloton API Flaws Exposed Users' Private Data).
Meanwhile, the advanced threat research team at security vendor McAfee recently issued a report about an Android Verified Boot vulnerability identified in Peloton's Bike+ that could allow an attacker with either physical access to the exercise bike or access during any point in the supply chain to gain remote access to the bike’s tablet, including the camera, microphone and personal data, without any indication that the device had been subjected to tampering. Peloton says it has fixed the security flaw.
"These devices should be treated with zero trust," Krehel says in an interview with Information Security Media Group. "Whatever is collected, captured, stored - you should consider at any point could be publicly disclosed and the device compromised."
In this interview (see audio link below photo), Krehel also discusses:
- Cyberthreats involving connected medical devices;
- Cybersecurity vulnerabilities and other challenges involving IoT devices;
- Suggestions to healthcare CISOs for improving the security of IoT devices.
Krehel is the digital forensic lead, CEO and founder of LIFARS, an international cybersecurity and digital forensics firm, and the captain at Cyber Team Six, an elite incident response team. He's the former CISO of Identity Theft 911, an identity theft recovery and data breach management service.