How Joe Biden's Peloton Made Everyone Wake Up About Cybersecurity

An incoming president will always create a long list of tasks for the team in charge of running the White House. Moving a whole family out and a new one in is bound to have its challenges.

However, Joe Biden has apparently already tested the Secret Service - with his workout equipment. It’s led to some intense dialog about America's cybersecurity as a whole, and even its status as a global player in protecting against digital attacks. Let's take a look at how this played out.

Peloton, the President, and the Internet of Things

Fitness-conscious 78-year-old Biden is reportedly a fan of the Peloton stationary bikes, sales of which soared when gyms were closed as a result of the COVID-19 pandemic.

But the problem is that the interactive machines come equipped with webcams and microphones to allow users to stream classes and talk to instructors. Not only could this mean the POTUS may turn up in a class with other startled participants, but it also has negative implications for the security of the White House.

Cybersecurity expert Max Kilger at the University of Texas told Popular Mechanics magazine there’s a risk that malicious parties could target the Peloton as a way of getting to Biden and spying not only on his home, but on his workplace.

"Even though there are firewalls and intrusion detection software ... those things can be gotten around if you're really good and skilled. If you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment." - Max Kilger

The expert pointed out that it isn't just the bike either, as that could simply be used as a jumping-off point to access smartwatches and TVs within the White House, should someone successfully install malware.

The Secret Service and the National Security Agency (NSA) have already spoken out to insist they’ll be making changes to the bike's IT infrastructure to mitigate the risk, including removing cameras and microphones and constantly changing the passwords.

The vulnerability of connected devices

The whole debacle has acted as a reminder that even the most innocuous-looking device can now become a security risk, especially as our lives become ever-more connected. It's estimated that more than 26 billion Internet of Things (IoT) devices were active last year, with 127 new ones connected every second.

Meanwhile, a report from F-Secure in 2019 found attacks on IoT devices were accelerating at an unprecedented rate. Indeed, there was a more than threefold increase to 2.9 billion events - the first time ever this figure surpassed the billion mark.

Furthermore, according to Palo Alto Networks Unit 42 research released last year, more than half of IoT devices were vulnerable to medium or high-severity attacks.

This was largely because 98% of their traffic is unencrypted, while patches are also irregularly carried out and default passwords often used in lieu of more stringent security measures.

Security technologist and Harvard University lecturer Bruce Schneier pointed out in an article for the Washington Post that the removal of potential listening devices from the White House is nothing new. As he explains, Barack Obama was prevented from getting an iPhone in 2013, while Furbies were even removed in 1999 in case they could listen and learn.

"Maybe Biden's security agents could isolate his Peloton ... This might work, but it certainly doesn't scale. As president, Biden can direct substantial resources to solving his cybersecurity problems. The real issue is what everyone else should do." - Bruce Schneier

And therein lies the problem. There are more people in America and the rest of the world who may become targets for cybercriminals than just the president - and never have they made it easier for said criminals to target them. Yet at the same time, as it becomes harder to find any devices that don't have at least some form of internet connection, not everyone benefits from tailor-made protection from the NSA.

Cybersecurity as a political promise

Perhaps the news reports on the Peloton have come at just the right time for us all to sit up and take notice, because - somewhat ironically - cybersecurity is something Biden has wanted to pay more attention to for a while.

It was actually part of his campaign platform, and he said in a statement as president-elect that his administration "will make cybersecurity a top priority at every level of government".

What's more, he seems to already be putting his money where his mouth is, having set aside a $10 billion investment in cybersecurity and IT modernization that includes additional funding for civilian cybersecurity.

He’s also planned an ambitious raft of new hires, starting with Anne Neuberger as deputy national security adviser for cyber and emerging technology and reportedly including Morgan Stanley's Jen Easterly to lead a new office dedicated to coordinating cybersecurity operations for the federal government.

However, some analysts have raised concerns that the new experts' collective experience is in the public sector, when much of America's IT infrastructure is now owned and operated by corporations.

The SolarWinds cyberattack

This was something painfully brought home in the US toward the end of 2020, when a huge attack attributed to Russian spies hit eight federal agencies and countless private companies.

The perpetrators hacked into IT programs provider SolarWinds and slipped a back door into a software update. When the update was passed on to SolarWinds' clients, so too was the malware that gave hackers access to their networks.

This so-called supply chain attack hit all of the top five accounting firms in the US and hundreds of colleges, universities and healthcare providers. It also showed that with the whole country connected in one way or another, the system is only as strong as its weakest link.

Chief strategy officer at the National Cybersecurity Center Mark Weatherford wrote in Forbes that cybersecurity is one of the biggest challenges facing the nation in 2021, yet it’s consistently been an area lacking in direction and strong leadership.

"Until the nation aligns on a focused direction, with crystal-clear guidance on cybersecurity out of the White House, private sector companies are almost completely on their own. The Biden administration has both the opportunity and the obligation to establish national policies that help public and private organizations understand what lifeline resources are available." - Mark Weatherford

In a blog for Microsoft, the company's president Brad Smith also said commitment from the government going forward is essential - but that it shouldn't end on a national level.

"Put simply, we need a more effective national and global strategy to protect against cyberattacks. Digital technology has created a world where governments cannot take effective action alone. The defense of democracy requires that governments and technology companies work together in new and important ways - to share information, strengthen defenses and respond to attack." - Brad Smith

President Biden certainly seems to be much more focussed on cybersecurity than his predecessor, so there may now be hope that the US gets the better-protected internet infrastructure it clearly needs at a time when the IoT is booming.

How ironic, then, that it took a scare around a connected device at the start of his presidency to start the ball rolling and underline what an essential step this would be.

Tech Insights for Professionals

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.