Working on computers all day, its nice to get away from one and get to the gym…. well it seems gym equipment is just a computer too these days.
The gym I go to has just got these cool new state of the art bikes in.. Handle bars that steer, brakes, gears etc and all linked to the screen that mimics exactly what you are doing. You can even race other people in the gym. Cool hey!
After a couple of mins watching the screen it crashed and rebooted (well it’s Windows and I didnt touch it..honest )… Up comes the DELL BIOS screen and it booted in Windows 7. It’s basically just a computer with the bike as an advanced joystick.
After the reboot
Now most people would think so what? Well as a pen tester it straight away makes me think..hmmm
- These are obviously on the network, are they on the gyms domain or segmented?
- Are they patched? how are they patched?
- Do they have boot security?
- Common passwords with Gym servers? pass the hash?
Could it really be possible to fully compromise a multi million pound worldwide gym using a cycling machine…..? Well based on previous testing in multi site sports/leisure companies….more then likely!