NordicTrack Patches Out 'God Mode' In Treadmills That Allowed Users To Watch Anything On Its Display

from the mine-mine-mine! dept

If you are a console gamer of a certain age, you will remember the bullshit Sony pulled when it patched its PS3 systems to remove useful features it had used as selling points for the console to begin with. Essentially, the PS3 had a feature that allowed you to install another operating system on it. This was used by hobbyists, companies, and the US Military alike to creatively use PS3s for purposes other than that for which they were built, such as research supercomputers and creating homebrew PS3 games. Sony later decided that those features could also be used for piracy or other nefarious actions and so patched it out. Sell the console with a feature, remove it later after the purchase… and then get sued in a class action, as it turned out.

The story of NordicTrack’s treadmill isn’t exactly like that, but it’s pretty damned close. The company’s treadmill has a large display mounted on it. That display was designed to be used with a subscription to iFit, which is the parent company of NordicTrack. There are all sorts of useful features when you view subscribed content on the display while exercising, such as difficulty and incline changes that follow along with the subscribed workout content. But the console also has a way to bypass the user-facing portion of the console and get into the underlying OS, which means users like JD Howard could then setup their own internet browser, through which they could put any web content on the display while they worked out.

To get into his X32i, all Howard needed to do was tap the touchscreen 10 times, wait seven seconds, then tap 10 more times. Doing so unlocked the machine—letting Howard into the underlying Android operating system. This privilege mode, a sort of God mode, gave Howard complete control over the treadmill: he could sideload apps and, using a built-in browser, access anything and everything online. “It wasn’t complicated,” Howard says. After accessing privilege mode he installed a third-party browser that allowed him to save passwords and fire up his beloved cloud security videos.

While NordicTrack doesn’t advertise privilege mode as a customer feature, its existence isn’t exactly a secret. Multiple unofficial guides tell people how to get into their machines, and even iFit’s support pages explain how to access it. The whole reason Howard bought the X32i, he says, was because he could access God mode. But the good times didn’t last long.

No they didn’t, because NordicTrack subsequently removed the God mode feature through a software update. And not just on the treadmill, but also on its other associated exercise equipment. And a not insignificant number of customers are absolutely pissed about it. The comments coming in largely are combinations of anger and confusion, with many owners wondering why in the world they suddenly can’t watch sports or Netflix while they workout. The other theme appears to be confusion as to how the company can even do this because, “Hey, don’t we own this thing we bought?”

The answer, of course, is no.

“The block on privilege mode was automatically installed because we believe it enhances security and safety while using fitness equipment that has multiple moving parts,” says a spokesperson for NordicTrack and iFit. The company has never marketed its products as being able to access other apps, the spokesperson adds. “As there is no way of knowing what kind of changes or errors a consumer could introduce into the software, there is no way of knowing what specific issues accessing privilege mode might cause,” the spokesperson says. “Therefore, to maintain security, safety, and machine functionality, we have restricted access to privilege mode.” The spokesperson also emphasizes that privilege mode was “never designed as a consumer-facing functionality.” Rather, it was designed to allow the company’s customer service team to remotely access the products to “troubleshoot, update, reset, or repair our software.”

The move puts the company at the center of the right-to-repair debate, with consumers increasingly demanding that companies let them alter the products they purchase.

Kinda, yeah. And it’s important to note that “owners” like Howard already had regular old treadmills and bought their NordicTrack treadmill because of the ability to put what they wants on the display. Again, sell the thing with a useful feature, then remove the useful feature afterwards via a software update. As I said, it’s not exactly like the PS3 case, but it’s pretty damned close.

The only real question now is whether iFit and NordicTrack too will have to pay out millions in attorney’s fees and barely anything to the actual consumer in some massive class action like Sony did.

Filed Under: , , , ,
Companies: ifit, nordic track

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NordicTrack Patches Out 'God Mode' In Treadmills That Allowed Users To Watch Anything On Its Display”

Subscribe: RSS Leave a comment
41 Comments
That Anonymous Cowardsays:

"“Therefore, to maintain security, safety, and machine functionality, we have restricted access to privilege mode.”"

Or… hear me out…
when they activate god mode now they will see a screen warning them they are about to void the warranty.
Then we can stop pretending this was every about security and safety and more so about forcing them to only watch the content we want them to pay us to watch.

Anonymoussays:

Re: Re: Re:

I think it is. I think "We won’t repair it" is a far better position for these companies to take than "You can’t repair it".

That is nevertheless illegal in the USA. They can refuse to repair damage caused by the owner, but cannot refuse based on modifications that didn’t cause any damage. If you brick the Android installation, you may be on your own; but if the motor dies, the company can’t weasel out because you installed your own media player.

Samuel Abramsays:

Re: Re: Re: Re:

It’s just that the modifications for the Game Boys include backlights, "professional"-sounding audio outputs, and clock speed adjusters. I don’t think Nintendo would pay to repair those! That being said, I know lots of other people who are knowledgeable about the Game Boy’s anatomy such that they could repair them if I wanted them to do so, so I don’t see the voided warranty as a big deal.

Samuel Abramsays:

Re: Re: Re: Re:

Terrible analogy. If NordicTrack refuses to honor the warranty for a hacked system, at the very least there will probably be DIY forums and other places on the internet that would show you how to fix the NordicTrack if things go south.

If NordicTrack acts like Apple or John Deere and sues independent repair shops, however, it means that repairs would get a lot more expensive.

PaulTsays:

Re: Re:

Refusing warranty because someone changed the stock OS has been a long standing tradition, since at least the first person who needed support from a big box retailer and had edited a .bat file to run Doom was asked to reinstall Windows 3.11 to diagnose the issue.

I’m not saying that’s right, but it’s hardly a surprise for a company that needs to protect themselves from complaints about physical liability.

Thadsays:

Re: Re: Re:

I’m not saying that’s right, but it’s hardly a surprise for a company that needs to protect themselves from complaints about physical liability.

You could accurately say "this isn’t surprising" at the bottom of at least 75% of Techdirt articles, including this one.

"It’s not surprising" is not a defense of bad behavior.

PaulTsays:

With it not being an advertised feature, I’m not sure it’s a real analog to the PS3 situation. I can also see 2 sides here really. On the one hand, you have a company patching out a useful feature that people use that just "happens" to restrict them to only using paid content from that company, which is not a good thing.

On the other hand, if you need to get root access to the OS in order to watch other things, I can definitely understand why the company would wish to patch out the ability for people to potentially make the device dangerous through untested software changes, even if most people are realistically going to just be watching Netflix.

"Again, sell the thing with a useful feature, then remove the useful feature afterwards via a software update"

Was it something that was advertised as a selling point? If it wasn’t, as the rest of the article suggests, then it’s not bait and switch and there won’t be any lawsuit rewards to pay.

Anonymoussays:

Re:

… I can definitely understand why the company would wish to patch out the ability for people to potentially make the device dangerous through untested software changes …

Ah, but the trick is, did they honestly believe that, or were they just seeing a revenue stream leaking away through a security hole?

PaulTsays:

Re: Re:

Either way’s possible. They could have been avoiding lawsuits from injuries, or they could have been protecting a revenue stream. But, if the "god mode" feature wasn’t advertised as something the product was intended to do, it doesn’t really matter. It seems that people have already found ways around the updates, while I’m sure that the company can now get any lawsuit dismissed where the injured party had deliberately bypassed safety features.

Narcissussays:

Missed opportunity

If they’re afraid of safety they could, of course, let the next update provide that in a safe way.

Personally I think that if an exercise machine has a large display and an internet connection, it is insanity to not provide access to Netflix, youtube etc. It wouldn’t even occur to me to NOT do that. Every gym has TVs all over the place so people have some distraction. Do you think people working out at home would like to watch the wall while working out? And don’t tell me people enjoy working out.

Paul Bsays:

Re: Re: Re: Missed opportunity

There are legal ways to do this. put in the contract "We offer you this screen at a reduced / free price as part of this unit and you agree not to do xyz modifications to said screen in exchange for this price.

This is not the case, they just offered a machine with a big screen running some android back end.

Now they are trying to insert this into the agreement after the fact. So yes, ownership rights really do come into play here just like all the stuff Printer makers have been caught doing.

PaulTsays:

Re: Re: Re: Re: Missed opportunity

"There are legal ways to do this"

There are. However, there’s nothing not legal about doing what they’re already doing. They sold a product with X functionality, some people thought they’d buy one because they got extra unadvertised Y features with a "hack", and now are complaining because the "hack" was patched.

"This is not the case, they just offered a machine with a big screen running some android back end."

They offered a locked product that happened to have an easy to reach unlock feature that wasn’t advertised. You can argue whether or not they should be offering an unlocked product, but the advertised product was locked, so it’s nowhere near the same issue as the PS3 issue (where the advertise features were removed).

I won’t sit here and defend everything they’ve done here, but there’s a lot of false equivalence floating around.

Anonymoussays:

Re:

The user is clearly escalating their privileges. "God Mode" has been used for ages for taking some sort of extra control, whether it involves a privilege escalation in an OS or not.

Not everyone is going to use words as defined by your version of "the tech field", whatever the hell that is. We could discuss your common (ab)usage of the word [fragment] "tech", for that matter. As if anyting IT-adjacent were the only kind of technology ever.

Buzz-wordy and not overly precise? Maybe. Big deal? Doubt it.

Upstreamsays:

God mode?

NordicTrack to customers: "You think you have God mode? Watch this." [Pulls plug on God mode] "Ha, ha. My God mode is bigger than your God mode!"

I try my best to avoid products that have "right to own / repair" issues, but it is very difficult, and, in some cases, impossible, so sometimes I do without.

Unfortunately we do not have a consumeratti with enough principles and backbone to say "You can take your non-own-able, non-repairable, Internet server-dependent, paid subscription-dependent device and shove it up your arse!"

Anonymoussays:

Re:

And it’s important to note that "owners" like Howard already had regular old treadmills and bought their NordicTrack treadmill because of the ability to put what they wants on the display.

Heck, sounds like it would’ve been cheaper for at least some of these people to just buy a tablet and some kind of mount to attach to their existing units in the first place…

Anonymoussays:

Re:

they’re conditioning users to mistrust security updates, and the long-term consequences of that are potentially devastating.

…or possibly liberating, if people learn to avoid all vendor-provided firmware and expect the vendors to provide something that can run a stock OS image (you know, one prepared by someone who knows something about software and can provide updates with more than a 1- or 2-year attention span).

danderbanditsays:

Same but different

I bought a NordicTrack crosscountry ski machine. It arrived with a couple of special bolts missing. I tried to get them, sent pictures, all kinds of documentation. They sent brackets and other stuff, never got what I really needed. I told them I wanted to return it for a refund. They said sure, pretty quickly and no hassle, gave me the refund and said just keep it. They didn’t have an agent nearby to come and get it/wasn’t worth it to them to pay for shipping to have it returned. I still have it. Got some hardware on my own to make it work.

So now I have a $700 piece of equipment for free. And I just have to make myself use it more regularly.

sumgaisays:

I’m surprised that TFA didn’t mention why Nordic Track said "safety" numerous times. (Though they got close with "moving parts".) I’m seeing this machine as an IoT device, which of course is defined as an external access point with less-than-zero security – it effectively challenges scumbags to come in an fsck up your workout routine. (Come to think of it, isn’t that what just happened – a malicious intruder just entered the system under a false flag and boogered it up?) And that’s just for starters – what about the rest of your network?

I’ve had a couple of treadmills in the past, the second with the same abilities of the current NT (but probably without the God Mode, I don’t know). I can just imagine being dumped into the console, with no small amount of force, by some script-kiddie telling the machine to shut off just when I’d reached my favored running speed.

That’s just the kind of thing that lawyers look for, and successfully sue over: "The manufacturer should have anticipated this possibility, and taken steps to prevent it". Still, Nordic Track could’ve just given that example, and been done with it. People would still be very upset, but they’d have no chance in Hell of succeeding in court. After all, users are looking to them to take responsibility, and that’s just what they are doing – protecting the user from him/her self. Courts tend to accept this line of reasoning, as galling as it may be to the user.

Bait and switch? The plaintiff would like this to be the central focal point, but they’ll fail for the above reasons – it’s about the manufacturer being responsible for preventing a potential tort, end of story. Sony’s PS3 debacle wasn’t about possible physical harm, that truly was about revenue streams, and thus was correctly decided as a bait and switch.

And using a separate tablet, that’s just what I did… with a cable up to the 32" monitor mounted on the wall. (Largest thing available at the time.) Lot cheaper than a new treadmill, and one less thing I have to learn how to protect from just from this kind of malarky.

Anonymoussays:

Re:

And how does this update fix any of the issues you mentioned? It’s still an IoT device. The OS is still the same. It still has full access to the internet and the "script kiddies" who reside there.

"God mode" (and I don’t know why we’re calling it that) exists on all operating systems, including the one on your treadmill. The only people who could get in before the update and can’t get in now, are people who have physical access to the device’s touchscreen.

sumgaisays:

Re: Re:

The update that removed "God mode" fixes the main issue of potential/probable liability for physical harm to the customer, that’s all. It may be enough to ward off a loss in the current court case, in fact I’m betting that it will, but I’m also well aware that the opera ain’t over until the fat lady sings. I can only hope that the case will be either settled outside of court, or resolved by the court(s), soon. And that’s only because I’m curious, you understand. 🙂

The other things you mention are likely still intact and vulnerable. I can only guess that when an attacker success fully bricks a treadmill, or worse, then another court case will ensue. Not every treadmill user is smart enough to block its network access at the router, sad to say.

Oh, and please enlighten us as to where to find God Mode in MS-DOS, or IBM’s PC-DOS, or DR-DOS, any versions of such. I gotta admit, I do love me some command line exploits!

freelunchsays:

incompetence is often a better explanation than ill will

I bought an ifit treadmill. The physical machine is moderately cool, better than the ones at my gym (where I didn’t go for some years, pandemic.) The software and systems and the organization are awful. Long workouts are tough, since the s/w crashes regularly. I now have an intervals workout on the machine — I did manual intervals and go back to the calendar to re-use that old workout. It has built in music, but after a couple of weeks I put an Alexa next to it, much much better. Tech support — completely incompetent. Service and support — two year delays to get a bolt back in, but there is a thriving if very expensive third party entrepreneurial repair sector. There must be more …

… Any of you techdirt readers have money as well as the brilliance we all love here, buy ifit, bring it up to the organizational competence level of, say, Sprint just before it was bought, and you will make a ton of $$.

JD Howardsays:

FYI

Yes, I am the person that is being quoted…

To anyone "trying" to see iFit’s perspective. I commend you for that, but you should know that there is more to the story. For one, it is a fairly massively coincidence that all of this started at the exact same time they announced their future IPO… This privileged mode has existed for many years. They never gave a crap about all the stuff until someone C-Level shit head decided to increase their personal returns when it goes public.

Also, I am not opposed to them selling an unlocked mode that doesn’t void the warranty. I think its an absolute dick move, but one I could at least live with so I can use the equipment the way I want.

I have a lot going on, but I am passively working on a permanent fix for this problem. They would be wise to get that "paid unlocked mode" rolled out before I shut down the possibility for them.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it