Peloton’s Bad Day Explained: Recall of Tread & Security Leak Discovered

Hump day is not going well for Peloton this week. After a successful annual ‘Homecoming’ event last weekend where they made a slew of product announcements, the company announced today they’re recalling Tread & Tread+ treadmills, due to safety issues (which led to the death of one child). This, following weeks of the company resisting calls from the CPSC (Consumer Products Safety Commission) to issue a recall of the Peloton Tread/Tread+, and of course, following the incident in March that led to the death of a 6-year old child, after they were pulled under the treadmill.

However, Peloton’s bad day actually started prior to that, before most in the company’s headquarters in NYC even woke up. A story ran on TechCrunch, which outlined how security researchers had stumbled onto a bug that allowed some activity and profile details to be seen for private profiles. More important to the story though was honestly the fact that it took researchers multiple attempts and eventually involving a media outlet to get Peloton to pay attention to the security researcher’s claims. The actual data leak itself though would probably be classified as relatively minor, in the grand scheme of leaks (more on that in a second).

Let’s just do a quick round-up of both of these. However, for those that are skimming – I’d strongly encourage you to understand the treadmill safety issue here, because frankly, this doesn’t just impact Peloton treadmills.

Peloton Treadmill Recall:

Peloton currently offers two treadmills, though, they were both named the same thing at one point. The two models are:

Less expensive – $2,495: Peloton Tread
More expensive and bigger – $4,295: Peloton Tread+

However, up until last year, the Peloton Tread+ was the Tread, and then they offered a less expensive version, and they renamed the Tread to the Tread+. It’d be like if Apple decided to change the name of your product after you bought it, giving it a +/Plus. It’s confusing.

And in fact, adding to the confusion is that there are actually two different safety issues. For the Tread+ (the bigger one), the main safety concern is that pets/children/objects can be pulled under the treadmill if not properly supervised. The CPSC released a video showing how exactly this occurs with a toddler. The video is hard to watch (the child eventually walks away), but I think it’s super important anyone with a treadmill watch it, as this isn’t limited to just Peloton treadmills:

Again, while Peloton is getting all the attention here, this isn’t limited to Peloton treadmills. The main issue is the gap at the base of the treadmill. And just about any belt or slat system will pull objects under it, especially given the forces and weights these machines have. For example, my treadmill (at the DC Rainmaker Cave) isn’t much different in height or gap, and would likely pull things under it too. Here’s an older image I found in my files of it, showing the gap:

However, some treadmills have bars or covers in place to prevent this. For example, just randomly pulling up Woodway’s main treadmill page, you’ll see how these specific models have bars in place that prevent most objects from being pulled fully under the treadmill. And that’s the key piece here. The main goal isn’t necessarily to prevent belt-burn or such, but rather, to prevent the child/pet from being *pulled under* the treadmill.

Versus below, for the Peloton Tread+, you can see there’s no block in place, yet there’s still enough of a gap to then have the belt/slat system pull the object with it, not just to an initial bar under the treadmill about 12” back (like mine above), but likely significantly further along because there’s no secondary blocker that some units have.

Meanwhile, for the Peloton Tread (the cheaper one), somehow the display can fall off and end up injuring the person on the treadmill. How this occurs is relatively mind-boggling to me, but obviously, it’s happened. Whether this is an assembly quality issue or an engineering issue is somewhat beside the point, it’s apparently happening. Here’s the exact wording from Peloton on this one:

“Peloton, in cooperation with the U.S. Consumer Product Safety Commission, is recalling the Tread because the touchscreen console on the Tread can detach and fall, posing a risk of injury to consumers.”

Like, that’s literally the definition of ‘the front fell off’.

On the bright side, very few Peloton Tread (non+) units have been sold – at least in the US. Peloton says 1,050 Peloton Tread units were sold in the US, as they were only on a small pilot program there within certain US cities. Instead, those units were largely sold in the UK & Canada. Peloton has not sold any treadmills in Germany (their other market). Peloton has ceased sales globally on all treadmills. They’re also working on a fix to keep the front from falling off:

“Peloton is implementing a voluntary recall for the Tread in cooperation with the CPSC. We are already working to develop a repair for your Tread touchscreen console and hope that this CPSC-approved repair will be available soon. Until this repair is available, Tread owners can either wait for the repair to be approved in the coming weeks, or they can request a full refund.”

Meanwhile, for the Peloton Tread+, there were 125,000 of those sold in the US. For those folks, Peloton is essentially giving two options:

Option 1: A full refund. Any Peloton Tread+ owner can request a full refund, until November 6th, 2022.

Option 2: Peloton will send someone out to relocate your treadmill to a more safe  (non-kid) location in your home. Remember, this unit is about 500 pounds, so it’s not easily moved by yourself.

Regardless of which option someone chooses, Peloton is also going to roll out a software PIN code. This is in addition to the hardware key that’s required to operate the treadmill. Meaning, ideally, someone would take the key out of the treadmill and put it in a safe place – which prevents the treadmill from operating. But a software pin is a much better solution. The treadmill will automatically lock after use, and then require the PIN code to operate it again. This protects against scenarios where perhaps a parent has to abruptly leave the treadmill mid-workout (to perhaps settle a multi-toddler dispute), and then doesn’t get back to the unit to remember to take the key out.

Peloton says they are working on a hardware modification to the Tread+ as well:

“We are working to develop additional modifications to the recalled Tread+ that will address the hazard of adult users, children and pets being pulled below the Treadmill and suffering serious injury or death. These modifications will be incorporated presented to the CPSC and if approved, will be introduced into the product before Peloton resumes sales. We do not have any additional information about the modifications or any proposed timeline right now.”

Undoubtedly, this will be some form of bar or cover over the back area. But in looking at the existing treadmill back area, this isn’t going to be an easy fix to roll-out, on a product that’s designed to be as sleek as possible. Never mind having to roll this out to 125,000 units (or a portion thereof).

Peloton Data Security Leak:

Oh no, we’re not done yet today. We’re only halfway there.

Earlier in the day, TechCrunch reported on how a security researcher was able to access profile information for members that were private, as well as access profile information for public members without authorization. The researchers have detailed their work here.

The details that were accessible were: User age, gender, city, weight, workout stats, and whether or not it was the user’s birthday (today).

These are essentially the same stats that are viewable from a user’s profile page, split into those that are seen within a workout, and those that are seen outside a workout. For example, above you can see my Peloton profile page. You’ll see my username (dcrainmaker), my city that I’ve entered manually (Amsterdam), plus all my workouts. Do note that the city is not your actual billing address, it’s just what you put in that public field. Some people don’t put anything, some put random things, like filling out a MySpace profile, it’s not super concrete.

The age and gender are the same as displayed when you tap on someone’s profile from the normal Peloton leaderboard. Here’s an example of a random person I just tapped on right now from a leaderboard of a class this very second:

You can see that the person has specified themselves as a female, under 20, and living in Toronto. And in this pretty rare case, they also listed what is presumably their full name. Or, it might just be a pseudonym and they might be a 45-year-old dude in Germany. Who knows. Here’s an example of a pile of names from a leaderboard this past weekend:

You’ll note though that one’s actual name isn’t displayed anywhere, nor was their actual location, nor anything else beyond what is normally public information. Except whether or not it was that user’s birthday or not today. The other detail that’s somewhat irrelevant right now, was whether or not the person was taking the class in a Peloton studio, or at home. Given all Peloton studios have been closed for a year, that doesn’t matter too much today.

However – the main gap here is that this was *ALSO* accessible for private profiles, using the Peloton API (or, sorta-API, it’s not really a truly official API).

But that’s also ignoring the fact that it took more than 90 days for Peloton to respond to the security issues, and even then, they were only fixed after TechCrunch reached out to Peloton’s press office, which got the ball moving. According to TechCrunch and the security researchers, it sounds as if the main security lead at Peloton was new to the position and things were still getting put in place.

Undoubtedly, it also sounds like Peloton didn’t have in place procedures to raise security-focused bugs from customer service/support channels to the right internal teams. That’s an important piece for software and hardware companies to have in place, to train support staff to understand when a security researcher (or anyone else) is trying to disclose a security vulnerability. Else, it can get lost in the noise of typical tech support cases.

Peloton provided the following statement to TechCrunch:

“It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.”

Again, it’s never good to disclose profiles that are set to private, as public. But, in this instance, the severity of the data here is more minor than most data leaks we tend to see. Certainly far less critical than if one’s Strava profile were public when otherwise set to private, as that has very specific details about exactly where someone runs/rides, and likely their exact address information (no, Strava hasn’t had a data leak of that sort yet…and no, people forgetting to add privacy zones doesn’t count. Also, yes, dear god, make a privacy zone around your home, and don’t start your runs/rides from your home – start them a few hundred meters away).

Of course, all of this Peloton’s Bad Day™ will likely be forgotten tomorrow, as conveniently it’s their quarterly earnings call. Undoubtedly they’re going to announce another blockbuster quarter – probably selling more bikes than ever before, with higher subscribers than ever before. Make no mistake, there’s a reason this is announced today, and not tomorrow. By tomorrow, it’ll literally be yesterday’s news.

With that – thanks for reading!

DC Rainmaker:

View Comments (52)

  • A bit off topic, but anyone know how to link to a Strava account if I once had a peloton profile that was linked, but that I deleted and now can't recover, but seems to linger somewhere in the syste, Anytime I try to link my new profile, I get an error saying my Strava account is already linked to a Peloton user. Revoking access from the Strava side, factory reset of Peloton haven't helped and Peloton customer support appears clueless.


    • Are you on a Peloton Bike, or just the app?

      Peloton requires the initial link be established on a physical Peloton Bike (or Tread). Any bike/Tread, anywhere. Just once.

      So in pre-pandemic years, you could go to a Peloton Studio even and do it there, a hotel gym, a Peloton showroom, friends house, etc... Once you did it once, you were good to go forever.

    • On the newer Bike Plus. The original profile (which I now cannot recover since I don't remember the e-mail and each one I could think of and put into their forgot password link appears to be for a different profile) was also created on the same bike. The new profile which I use now is also on the same bike. Have tried wiping the cache and doing a factory reset of the bike, but there appears to be a ghost in the machine. Peloton customer service took half an hour to just understand the scenario then said they had created a ticket but I have no indication anyone is doing anything about this. The internet is full of people reporting similar sounding issues though the scenarios are usually slightly different from mine. None that I have found talk about this "lost profile" scenario. And peloton appears to have no workflow anyway to completely erase a profile from existence. From the bike you can remove a profile, which I did when I couldn't log into it, but it still exists somewhere, either in the cloud or somewhere on your bike. I can even find it by userid (which is different from e-mail) because it was a public profile, using the Find Members link on the Peloton website. Highly frustrating.

  • I've been wondering about my Woodway Desmo/4Front's ability to suck me under. (It's a Woodway Desmo refurbished as a 4Front with the new display.) I don't think it has any kind of bar underneath the rear, and I was worried about potential #suckunder since before the Peloton incidents were reported.

    It seems like a risk if you fall and get rolled off the back and get a limb on the ground at the rear. I've never fallen, but it could happen without too much of a fluke. I'm the only person on the planet to use the emergency-stop magnet clip, but I think the belt could still spin for a second or two and suck you under.

  • After seeing the video of the kid being pulled under, my thought is that the belt on my old treadmill would slip before the deck would actually leave the ground as in that video. With a belt made of slats, does the peloton tread+ have two sprockets instead of the standard smooth drum driving the belt or a non-round drum (hexagon cross shape) that prevents slipping?

  • hahahahah..brilliant! that will teach those woke wankers at Peloton with their work tv ads.

  • The problem is a pattern by Peloton of 1) ignoring the problem, 2) then lying about the problem 3) blaming others before doing anything. But yet people will defend them.

  • Couldn't the hardware issue be fairly simply fixed by providing some kind of sled style metal base that the Peloton could simply sit on top of?
    It would then wrap around the end of the treadmill covering the void?

    No need for super engineering, just put a shoe on it.

    • True, as long as it was physically attached to the Tread, which, I presume could be accomplished via replacement of the rear feet, that I also presume probably attach merely via screws or such.

  • I wonder if other treadmill manufacturers will do anything to prevent things being pulled under the belt. Peloton got caught, but as Ray showed, it's a relatively common issue

    • Peloton didn't get caught so much as they are rich enough that it's worth a lawsuit. They were always going to be dragged on stage bleeding for something and I'm sure there are still plenty out there trying to think of other issues to pull them on. They've been lucky this time that it's an issue affecting most treadmills and that ultimately it is user error. Sure, they can add safety features like a PIN, but kids are very capable of watching and learning a PIN number. Every time someone invents an idiot proof system, idiots step up their game. There is no getting away from the fact that a treadmill is a big powerful motor attached to an abrasive belt, and if you let children near it unattended (and video doesn't count, I can't believe I have to say that!) then there is no safety feature that will protect them.

    • Yeah, I suspect we'll look back in those in 3-5 months and most of the major treadmill manufacturers will have been caught up in it in some way.

      By now, plenty of lawyers are sharpening their pencils, and also, probably plenty of parents that perhaps never reported incidents to the CPSC for other treadmills (or even Peloton), are sending e-mails.

      Which isn't to say treadmills are scary monsters, it's just that to date treadmill companies have never really said *HOW* these incidents occur. It was always a leave it up to your imagination on how a kid could get hurt. My imagination assumed a kid plays on the belt and flies off the back (which, is true, and is how most accidents happen). But it never crossed my mind to get sucked back under it. And, as a bit of a hotel gym treadmill aficionado, I can say that a lot of treadmills are exactly 0% different than Peloton's here.

    • You have repeated this a bunch of times sbiut “other treadmills”. Do you have any facts to back it up? Or will you continue to defend Peloton.

    • I'm not defending Peloton, I'm simply pointing out this isn't a unique problem to Peloton. I've pointed out numerous times I don't understand why Peloton pushed back so hard on considering changes.

      As for other examples, there's a good post on the Slowtwitch forum of a person noting the exact same thing happened with them and an exercise ball (which is what's shown in the video) and their Nordic Track.

    • And in all of 5 seconds of searching, here's a perfect example of a belt-driven treadmill, pulling an exercise ball under the treadmill - just like Peloton's did with the child. And in this case, with a teenager standing on the treadmill no less:

      Again, this isn't just a Peloton issue, in this Wired piece, I explain a bit more on why Peloton is likely being poked at first here:

    • I think the reason they pushed back so hard was to avoid a humongous recall in their primary market for something that's never been an issue in the market before despite it being a well proven design. I completely agree with you that they should have considered design changes just because more safe is obviously better and they have to iterate and improve for the next model anyway. I don't agree with the huge recall one bit, and I promise you that if they add a bar to the back the next lawsuit will be a broken hand between the bar and machine, or lacerations if the bar is too close. Someone will get injured using the new design, that is a certainty.
      We might very well see an arms race develop which ultimately leads to a camera using AI to detect kids which disables the machine entirely in their presence...then a parent will sue because their device doesn't work while kids are in the room ;)

      Sometimes I worry that we'll end up banning all forms of exercise just in case someone stubs their toe

    • From your comments, it's clear you don't have kids. Toddlers move & learn fast & parents get distracted. Depending upon furniture & outlet configuration, unplugging/plugging in isn't always easy to do.

      In watching the beginning of that video for the first time, I would have thought that ball was waaay to large to get sucked under & I can't help but watch the end of that video (over & over again - am I bad person?) with the sound 'on' in my head, "Mmm, child tasty. Nomnomnom!" as that 500 pound machine literally picks itself up & moves to 'eat' that kid. If I didn't see the video I would NEVER have believed that could happen. This kid walked away but another died because the machine is powerful enough to move itself under the right (wrong?) circumstances.

    • "unplugging/plugging in isn’t always easy to do"

      Taking the safety pin out is certainly always easy, however. And this applies to *any* treadmill.

    • "unplugging/plugging in isn’t always easy to do. "

      Good parenting isn't about things being easy, it's about protecting your children first and foremost every single day for the rest of your life. As I said, this is effectively a belt sander with a huge motor, there is no safety device that will ever make it safe to leave with a child alone if there is a chance they could switch it on. If you can't be arsed to make it safe, put it in a locked room they don't have access to. If you don't have a room, run outdoors. Your children have to come first every single time.

    • Not every house has a spare bedroom, & even if they did it may very well be better to put it downstairs where the parent can use it while supervising the child(ren). There were times I was a 'single parent' just due to work schedules; there are many others who are full-time single parents, either because of divorce, death, or deployments. I couldn't run outside & leave the kid home alone & if I was running/riding in the basement or a spare bedroom, I might not realize he woke up early from his nap. Treads aren't cheap but buying one means someone doesn't have to pay a babysitter to run outside, possibly in the rain or dark, at a pre-scheduled time. They provide flexibility & convenience, which is something parents need.

      There's also the fact that children grow & can do more than they could one, three, or six months ago. Babies are wonderful because you always find them where you leave them; once they learn to crawl it's a totally different game & they need constant, eyes-on supervision. Ask how many parents had a kid end up in a bathroom or outside on their own because they didn't realize said kid learned how to unlock/open a door.

      While I don't disagree with what you said there are practical realities to actually being a parent. I'm not one to scream 'design defect' at every little injury but a 500lb object that will pick itself up & move itself to 'eat' a kid because a blocker bar didn't look cool is one that DOES have a design defect that isn't foreseeable or expected by the average person.

    • "despite it being a well proven design" - what might be a well proven design for use in a controlled gym environment is not necessarily one when used in a home environment.

1 2

By continuing to browse the site you are agreeing to the use of cookies