Running in Circles: Security Insights from a Treadmill
I run ultramarathons, so I run often and sometimes end up indoors when conditions aren’t ideal or I need to juggle family needs. When running inside, I use a Nordictrack X22i, which is a wonderful piece of equipment but is limited to the built-in iFit application and nothing more; no Netflix, YouTube, or other streaming services. Nordictrack no doubt does this to ensure customers experience the treadmill as they intend. This also helps ensure safety since the software affects the hardware. Tired of staring at the wall, I dedicated a day to liberating my technology, but it didn’t go as planned.
Like many devices, Nordictrack leverages a locked-down version of Android. Online discussions revealed that a "power mode" exists to manage the operating system and perform calibration/troubleshooting. Getting to this mode requires tapping portions of the screen a specific number of times, pausing, and repeating the process. From there, a dialog appears with a customer service number and a multi-digit code you are meant to provide as an identifier. This wasn’t always the case, but enough attention was created about power mode that Nordictrack needed a way to route eager users to them and stop them. Fortunately, websites exist that enable bypassing this process, and I leveraged one with success.
Success, I have power mode on the treadmill. A cursory look around the operating system reveals an ancient version of Android. Specifically, version 9 from 2018. I am unable to log in to the Play Store, but I do have a basic built-in browser and search functionality installed. I used the browser to go directly to Netflix and tried logging in that way. However, I was greeted with a message: "Your browser is no longer supported." No direct streaming.
Not deterred, I again leverage search, but this time make my way to APKMirror, endlessly scrolling to find a version of the Netflix app that is supported by my outdated Android version and for the given platform. After a few failed attempts, I get the proper application downloaded and install it on the treadmill. Success, I have Netflix installed and visible on my home screen. Firing it up, I am again presented with the dreaded "Your browser is no longer supported" message. Modern shell applications and their tendency to rely on their latest web application have rendered this pathway useless.
Before giving up, I search for other creative methods users on Reddit have found successful. One user notes that installing certain Amazon applications will enable an ability to cast to the device. Not ideal, but worth a shot to see if it works. Before I can test it out, I am pulled away for a few hours on family activities. When I return later in the afternoon, my treadmill has a dialog noting it ran into an issue and needs to be rebooted to resolve. Nothing works until I perform the reboot including the manual operation of the treadmill, and as you might suspect, once doing so, my "power mode" is gone. Yet another speed bump in the process and one that was enough for me to consider stopping. It wasn't worth my time to find methods to persist and otherwise disrupt the reason I bought the treadmill. You know, for running.
Even though I didn’t get what I wanted, I was pleased by the resilience Nordictrack had both directly and indirectly designed into the system. I bought the treadmill for running and doing workouts. They designed it for such and limited the abilities of the software to keep me safe and ensure my experience was consistent. Combining hardware and software means you are likely to have a complex system, and when it’s outside of your direct control, you have to assume it could be breached in multiple ways. The work many are doing to design agents, especially in security, is no different. Agents made by companies will be designed to meet specific needs and limited in functionality to make you safe. There will always be people who wish to bypass those limitations. Assume that happens at every portion of your design and add layers of security to preserve the integrity of your experience.
Learn from everything. Remain curious!
