Comments

Tatütata June 18, 2021 8:16 AM

Also here: https://www.schneier.com/blog/archives/2021/02/presidential-cybersecurity-and-pelotons.html

This would be more an evil towel boy than an evil maid attack. Since the thing is designed to be connected at all times, the units are probably patched alread.

Monsieur Colbert has a solution for that:
https://youtu.be/JfT59wBSQME?t=231
(It works so much better with an audience)

Did I mishear correctly? Was that a reference to “1/6”?

(Two URLs, but zero poop emoji, or references to trolls, or Leningrad, or moonshine. Will it fall through the trap door?)

echo June 18, 2021 8:44 AM

I don’t get the need to put a CPU in everything. What’s wrong with a mechanical speedometer and odometer?

But then I’m poor and a nobody so I don’t need to live in a fortress with 24/7 bodyguards and SAM missiles on the roof or travel in a bullet proof car. I can just go for a walk any time I like.

Clive Robinson June 18, 2021 10:15 AM

@ Bruce,

The attack requires physical access to the Peloton, so it’s not really a practical attack.

How about in the “Supply Chain”…

Or when it’s having a mechanical repair, your moving home, or you are buying it second hand…

Thus some one could use it as a “staging post” once it’s inside your network and “trusted”.

The moral being don’t trust these things keep them on entirely segregated networks etc, preferably via a different router and service provider.

lurker June 18, 2021 1:08 PM

@echo: What’s wrong with a mechanical speedometer and odometer?

Have you tried to buy one lately?

Bear June 18, 2021 1:14 PM

Yet another example of ‘what value was added to this device by sticking a network target into it?’

There is nothing I want my exercise bike, or for that matter my thermostat, or my refrigerator, or any of a thousand other things, to do that requires networking.

Seriously, what drives the compulsion to make everything a network device???

Do people even consider whether cameras, microphones, memory, etc, even contribute to the device’s purpose? If it’s in the category of “second-hand buyer wouldn’t give a crap if it were missing,” then why is it something the initial customer cares about?

Tatütata June 18, 2021 1:23 PM

Seriously, what drives the compulsion to make everything a network device???

The telescreen barks at you like if it were a real person.

Back in the day I was swimming twice a week in a group. There was a 2500m program on the board, but I was one of the “losers” who rarely made it beyond 2000m. The trainer with her chronometer and whistle didn’t pay any attention to our unworthy section. It was nicer like that, I wasn’t in this for the statistics.

Rombobjörn June 18, 2021 3:36 PM

@Bear:

Seriously, what drives the compulsion to make everything a network device???

Datamining. They want you to be ore in their mine.

Clive Robinson June 18, 2021 7:11 PM

@ Bear,

Seriously, what drives the compulsion to make everything a network device???

The feature effectively comes for free due to the way “System on a Chip” (SoC) manufacturing works.

You effectively design just one “do everything chip” encapsulate it in the plastic package and put a date code and run number on it and put them in the warehouse… When a customer comes along with anything above a thousand part order, you simply take the packeged devices out of the warehouse blow “softfuse” settings in the chip and laser onba custom number just for the customer… And that way keep your inventoty costs right down, and charge premium prices for “fast turn around” or “custom function”

As the customer order sizes go up you basically give them more and more features on the device to keep your margins up it’s not as though it’s actually costing you anything.

The customer of course has a “marketing dept” they see these “extra features” that cost one or two cents on the BOM as a god send as they can add new bells and whistles for their customers and have a “new premium product” they can charge a hundred dollars or more for.

Or if they are a “bottom of the barrel feeder” FMCE IoT supplier they can use those features to spy on you, wrap the information up in their backend servers and sell you ontova databroker, thus they can set the price of the hardware lower…

Have a look at what Amazon does with Ring and other of their “security systems” you effectively pay them to give your PII so they can then sell it to Law Enforcment Entities, who get enticed in by getting a number of free Ring devices thay can give away etc…

Big brother is not watching you but he’s got minions to do that for him and they earn their keep by turning law enforcment into the rquivalent of drug addicts that become totaly dependent on Big Jeff…

It’s the same trick that his mate Peter over at Palantir does…

But don’t let that worry you any, after all “If you’ve done nothing wrong, why does it matter that they know everything about you? After all the fact you are on heart meds is not going to worry your employers HR department is it?

Tell me who actually pays for your US Health Care insurance premiums, surely you trust them not to apply neo-con cost saving measures…

Garabaldi June 21, 2021 11:09 AM

@echo

I don’t get the need to put a CPU in everything. What’s wrong with a mechanical speedometer and odometer?

The CPU solution is cheaper, smaller, more accurate and more reliable.

During my career I’ve worked on dozens, perhaps hundreds, of instances of replacing complex mechanical devices (wonderous gears and cams) with a simple pot or quadrature encoder and a CPU. The numbers always justified this by wide margins, both beforehand and in later reviews with real life data.

The potential downside is that once the CPU is in there you get feature creep, for example if you are simply replacing a mechanical speedometer you get an odometer for almost free. Then you get a maintenance minder, … . But this is a different argument than the one against a like for like replacement.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.