Echelon Data Breach: Rider Account Data Exposed

Echelon Exposed Rider Account Data Through API Vulnerability

Similar to a recent incident involving Peloton, the fitness company Echelon experienced a data exposure issue stemming from a flawed API. This vulnerability potentially allowed unauthorized access to riders’ personal account information.

Echelon's Position in the At-Home Fitness Market

Echelon provides a variety of fitness equipment, including bikes, rowers, and treadmills, as a more affordable alternative to Peloton for home workouts. Their app also facilitates participation in virtual classes, even without owning the company’s hardware.

Details of the API Vulnerability

Security researcher Jan Masters from Pen Test Partners discovered that Echelon’s API permitted access to sensitive data. This included a rider’s name, city, age, gender, phone number, weight, date of birth, and comprehensive workout statistics and history.

Furthermore, the API revealed details about the workout equipment used by members, such as its unique serial number.

Similarities to the Peloton API Flaw

Masters previously identified a comparable vulnerability within Peloton’s API. This earlier issue enabled unauthenticated requests, allowing the retrieval of private user account data directly from Peloton’s servers without proper authorization checks.

How the Echelon API Was Compromised

The Echelon API is designed to facilitate communication between members’ devices and Echelon’s servers. It was intended to verify device authorization through an authorization token before granting access to user data.

However, Masters found that this token was not required to successfully request and obtain data.

Weak access controls on the API also allowed for the retrieval of data pertaining to any member, enabling the enumeration of user account IDs and subsequent scraping of account information. This type of scraping attack has previously affected platforms like Facebook, LinkedIn, Peloton, and Clubhouse.

Disclosure and Response

Ken Munro, founder of Pen Test Partners, initially reported the vulnerabilities to Echelon via Twitter direct message on January 20th. The company lacks a publicly available vulnerability disclosure process, which they state is currently “under review.”

Despite adhering to the standard 90-day disclosure timeframe for security flaws, the researchers received no response from Echelon.

Echelon's Statement and TechCrunch's Investigation

Following inquiries from TechCrunch, Echelon stated that the identified security flaws were addressed in January.

According to Chris Martin, Echelon’s chief information security officer, an external penetration test was conducted, and corrective actions were implemented, largely by January 21, 2021. Echelon maintains that the User ID itself does not constitute personally identifiable information (PII).

The company did not disclose the name of the external security firm but confirmed detailed logs are maintained, though it could not confirm any evidence of malicious exploitation.

Discrepancies in Echelon’s Timeline

Munro contested Echelon’s claim regarding the timing of the fixes, providing evidence to TechCrunch indicating that at least one vulnerability remained unaddressed until mid-April.

Another vulnerability was reportedly still exploitable as recently as this week.

When pressed for clarification, Echelon reiterated that the security flaws “have been remediated” without addressing the timeline discrepancies.

Additional Vulnerability: Age Verification

Echelon also resolved a bug that permitted users under the age of 13 to create accounts. Many companies restrict access for individuals under 13 to comply with the Children’s Online Privacy Protection Act (COPPA).

Despite a stated minimum age of 13, TechCrunch successfully created an Echelon account with an age below this threshold this week.