security

Let’s Talk Security Tech About President Biden’s Peloton Bike – DC Rainmaker


DSC_2450

Over the last week there’s been a surprising amount of concerned speculation that President Biden would be unable to take his apparently beloved Peloton Bike to the White House, citing security concerns. The reason is that the Peloton Bikes contain not only a network connection, but also a camera and a microphone. The camera and microphone are intended to do be able to do a workout with a friend, akin to Facetime or such, though in reality very few people tend to use them. There’s also Bluetooth and WiFi too.

Still – cameras and microphones, as well as both wired and wireless connections can indeed post security concerns in any technology device, be it a bike or a phone. It’s why in most high security environments, such devices are tightly controlled (if allowed at all). However, the amount of speculation that somehow this would stop the Biden’s from bringing their Peloton bike is silly.

Here, let me explain.

(Preemptive warning: Politically focused comments – on either side of the aisle – will be immediately deleted. There are plenty of other places in the world to drop those, I’m here for the tech – so let’s focus on that.)

Peloton Bike Tech:

PelotonBikePlusScreenDisplay

Now the first thing to know about the Peloton Bike is that there is actually two main models of the Peloton Bike: The Bike, and the newer Bike+. They are similar in many ways, but also quite different. From an underlying bike frame standpoint (the big bulky metal part), they’re actually identical. However, the differences are in the screen, as well as on the Bike+ has an electronic resistance unit. But that doesn’t matter in this conversation.

The basic design of both bikes is that the screen up top is the everything from a smarts standpoint. It’s essentially a giant Android phone, using a large touchscreen instead. The unit runs Android (different versions depending on the bike), but the average consumer would never really notice that. However, that Android platform does make it far more appealing (and easy) for attackers (or hobbyists) to tweak with.

Read More   U-Haul expands self-storage space in Middletown with 450 more units - Hamilton Journal News

PelotonBikeCamera DSC_2450

Both bikes have cameras in them at the top of the screen, however, the Peloton Bike+ also has a camera cover. This small piece of plastic allows you to cover the camera.

PelotonBikePlus-Webcam-PrivacyScreen

Both bikes have mics in them, also at the top of the screen. In the case of the original Bike it’s actually visible just above the camera on the bezel of the screen. Whereas the Bike+ appears to have it behind the speaker fabric.

PelotonBikePort

Both Peloton Bikes have dedicated headphone jacks as well.

When it comes to connectivity, both bikes have WiFi connectivity, though only the original Bike has wired ethernet built-in. Instead, the Bike+ would require someone purchase a USB-C to Ethernet dongle in order for wired connectivity. There’s also Bluetooth audio devices (and heart rate sensor pairing). If looking at the device holistically from a security standpoint, it’s likely they would aim to physically disable the Bluetooth connectivity as well, as that could be paired to nearby Bluetooth audio devices otherwise.

vlcsnap-2021-01-20-19h19m13s495

Neither the camera or microphone are required for day to day usage, however network connectivity is. Without network connectivity you can’t load the classes to take (or take live ones), nor can you see any of your training data over time. You can however use the bike without connectivity in a base mode without classes (basically just as a simple spin bike).

image

Now while all of these things are considered security risks, they’re hardly without precedent in the White House. In fact ultimately, the Peloton bike as noted earlier is just a giant Android phone. But various US government agencies literally have divisions that are focused on taking apart devices and making them more hardened. But one has to first decide what type of ‘space’ they’re going into. For example, while there are many portions of the White House that are considered a sensitive compartmented information facility (SCIF) where classified information can be discussed – there are plenty of portions that are not. It’s in these portions that most day to day work happens, and were staffers carry both government issued and personal devices (the exact policies on this has varied from administration to administration, and even within an administration).

Read More   Ten Trends Driving Cyber Security In 2019 - Fin Tech - Luxembourg - Mondaq News Alerts

Sure, one always be careful with any device and discussing both official and classified information. But iPhone, Android phones, smart watches and such are the norm these days. And for classified information that’d be discussed in a classified ‘facility’ (the term facility here is more of a construct than a specific building – in some locations the facility can be the entire building, and in others just a single tiny room).

PelotonBikePlusFrame

Still, governments around the world have a long history of securing devices, both in unclass (unclassified) and high side (classified) areas. For high security situations, they’ll dismantle them, understand how they work, remove risky components, and put it back together again. This is hardly news. One only need to look at the current PDB (Presidential Daily Brief) being delivered on an iPad to see that, as a public example.

While its rumored that former First Lady Michelle Obama has or had a Peloton Bike delivered without a camera/mic, that would do little do assuage security divisions about putting any connected device within the White House residence. If the location of the device warranted, those same divisions would still take apart the device and do their normal security work. The removal of a camera/mic by Peloton would merely save government teams time in making the device work properly after disabling those components (as it would usually fail various internal checks).

DSC_2454

No matter which flavor of bike shows up, White House staffers within EOP would then work to follow standard security guidelines (so-called STIG’s) published by NIST for Android devices, then in conjunction with other intelligence agencies they’d complete a more detailed assessment of the risks of that specific Peloton model to decide where it might be placed, and what hardening steps may or may not be taken. Given how many government officials (such as embassy staff and past executive officials) have Peloton bikes, this has undoubtedly been done many times before and well documented.

Read More   School sends California family a hotspot after students went to Taco Bell to use their free WiFi - erienewsnow.com

Finally, while my Peloton Bike is currently sitting in our bedroom – a place where in a White House setting classified information would undoubtedly be discussed as any president mulls through tough decisions, there’s zero need for the bike to sit there in the White House. After all, the White House is a vast building including a gym, bowling alley, and theater. A Peloton Bike could easily be placed in the White House gym or another secured room that is only used for working out. You can see some images of the long lineup of fitness machines in some White House gym photos here.

Thus ultimately, the task of securing electronic/connected devices to work in the White House is something that is a well understood path that’s been done countless times before on far more technically challenging devices. And more importantly, it’s something done on a continual basis for far more mundane devices. Sticking a connected bike in a storage room somewhere is pretty low on the complexity factor for those divisions.

Thus, I’ve got no doubts that both the President and First Lady will continue using their bike, whichever model it is, for some time to come.

With that – thanks for reading!

(And again – preemptive warning: Politically focused comments – on either side of the aisle – will be immediately deleted. There are plenty of other places in the world to drop those, I’m here for the tech – so let’s focus on that.)



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.