As CES goes hybrid, connected fitness companies have another big year

CES hasn’t traditionally been the healthiest week for me. Aside from some unintentional intermittent fasting, TechCrunch really has the habit of doing it up with our team dinners at the show, to say nothing of Matt’s near religious devotion to a Mexican place named Tacos & Beer.

In my defense, I will say that there’s never been a year that I haven’t blown through my step count several times over every day of the show. Wandering the hall of the Las Vegas Convention Center will do that to a tech journalist. This year, of course, my steps have been suffering, as TechCrunch opted to attend the show virtually, amid omicron-related concerns.

If I’m being honest, those same concerns left me wondering whether I should be back at the gym, too. I’m sure I’m not alone in that, either. While it’s true that companies like Peloton saw regression as gyms and the like saw re-openings late last year, this pandemic is far from over. And the idea of being in a confined room with a bunch of other heavy breathers seems less than ideal, even as it’s currently too cold to do much working out outside in many parts of the country.

It’s always hard to project the longevity of these sorts of trends, but it’s pretty safe to say that the last few years will have proven a sea change for the world of home fitness. I’ve personally spoken with many people who don’t plan to go back to the gym after all of this is over (well, assuming all of this is ever actually over, I guess). That’s not entirely a symptom of the pandemic, of course — companies like Peloton and Mirror were gaining plenty of traction before many of us knew what a novel coronavirus was.

Of course, when it rains its pours with this stuff. My inbox has been bombarded with home fitness services for the past couple of years. It’s clear that as many companies as possible are looking to capitalize on this moment, and between Peloton’s earnings and transactions like Lululemon’s acquisition of Mirror, how can blame them? We certainly saw an uptick at last year’s all-virtual CES, but in 2022, they’re impossible to avoid.

Like any ultra-hot tech category, only a few will survive. Peloton was set to loom large over the event in more ways than one, including a keynote by CEO John Foley — though earlier this week, the fitness brand joined a long list of companies opting out of attendance. In spite of such concerns, however, there were plenty of products more than willing to fill that void.

Image Credits: LG

LG’s offering in the category was far more conceptual than practical. If anything, the company’s stationary bike was designed to show off how its curved monitor technology could be incorporated into home fitness. Given the size of the product, it seemed like a pretty solid indictment of itself, given that space and price are at a premium for many looking to outfit their homes with exercise equipment.

I’m frankly surprised we didn’t get more attempts to jam the term “metaverse” into this year’s home fitness pitches. VR fitness app Liteboxer wins the prize there. “The dawn of the metaverse points to a demand for a deeper sense of connectivity,” co-founder and CEO Jeff Morin said in a release. “Virtual reality workouts connect people in a way that’s more meaningful than a 2D screen on a tablet, phone or computer. With just a VR headset and your will to win, anyone can now workout anywhere in the world with the best trainers, tracks and fitness technology.”

The “meta” word is mentioned four times in the aforementioned release. In this case it seems to be used fairly interchangeably with the term “VR,” as this is a title for the Quest 2 headset. Liteboxer VR arrives in the Quest Store on March 3, and will run $19 a month for a subscription.

Echelon showcased its EX-8s Connect Bike, designed to take on Peloton’s high-end Bike+, undercutting the product only slightly at $2,399. That’s a high price tag for a company that also makes uber-affordable products for Walmart. That price gets you, among other things, a curved 24-inch 1080p display and a customizable lightshow for the wheels. It’s set to arrive later this month.

Image Credits: WonderciseWondercise, meanwhile, is a software-first solution. The company aims to offer a platform that’s designed to connect remote exercise buffs and break through some of the isolation that comes from switching from the gym to the home. Per the company’s press material:

The live leaderboard displays scores based on an individual’s technique, creating a fun atmosphere in sessions. Colorful on-screen power bars and profiles were intentionally designed to make the experience feel like a game, adding a competitive dimension to workouts. Wondercise is focused on bringing the Internet of Things to the fitness industry so everyone can get the performance analytics and data they need, wherever they work out.

As crowded as the home equipment category is getting, however, it’s nothing compared to software-first solutions, and Wondercise will be competiting directly with big names, including Apple and Samsung.

Hydrow, meanwhile, was one of the key companies representing home rowers. It’s a category beyond the saturated world of treadmills and bikes that’s prime for some real growth. Rowers offer a fuller body workout than bikes, though generally burn fewer calories. Peloton is rumored to be getting into the rowing machine game, but for now Hydrow looms as the big name in the space.

Read more about CES 2022 on TechCrunch

Noname Security hits $1B valuation after $135M Series C raise

API security is all the rage these days, pushed into the limelight following a spate of high profile security incidents that saw reams of user data exposed or exfiltrated. Peloton spilled users’ private account information; Experian exposed the financial histories of millions of Americans; and Facebook, LinkedIn, and Clubhouse all had user data scraped en masse because of their poorly secured APIs.

For companies like Noname Security that aim to solve API security problems, business is booming. The Palo Alto-headquartered company today announced it’s raised $135 million in Series C funding, pushing the startup over the $1 billion valuation mark, making it the latest startup to join the cybersecurity unicorn club.

The round was led by Georgian and Lightspeed, with participation from Insight Partners, Forgepoint, and others. The funding comes just six months after Noname closed a $60 million round of funding at Series B, less than a year after raising $25 million at Series A after emerging from stealth last December. For those keeping count, that’s $220 million raised by the company to date.

Noname helps companies proactively discover and remediate API security issues by analyzing configuration settings, network traffic, and code to prevent misuse. APIs, in simple terms, allow two or more things to talk to each other over the internet, including hardware and software. APIs are pretty much everywhere, even if you can’t see them. But without controls in place, APIs can be abused to siphon off tons of sensitive or private internal data from a company’s servers.

The startup said it plans to use the new investment to expand its research and development, and improve its go-to-market strategy. Noname now claims to support one-fifth of Fortune 500 companies, and has tripled its headcount in the past six months to more than 200 employees.

Peloton sues rivals over alleged patent infringement related to on-demand classes

Peloton has filed fresh lawsuits against two of its rivals, iFit and Echelon. It alleges that the companies are violating up to four patents it holds related to on-demand classes, one of which it only obtained last week, as Bloomberg Lawnotes. Peloton is seeking a court order to block sales of the devices until the patents expire, in addition to compensation. In both suits, Peloton accuses competitors of attempting to “free ride” off its technology.

The iFit complaint concerns NordicTrack, ProForm and FreeMotion products that use the company’s leaderboard and/or its ActivePulse or SmartAdjust features. “Prior to the actions giving rise to this suit, iFit Functionality never delivered live classes — i.e., classes taught by instructors and streamed to users’ devices in substantially real time — or offered its members the ability to participate in competitive classes via a leaderboard. Instead, iFit Functionality only allowed subscribers to follow along with pre-recorded exercise classes on their machines, without any sort of community engagement,” Peloton wrote in the filing.

It accuses iFit of “profiting immensely from this infringement.” In October, iFit paused its plan to go public due to adverse market conditions.

As for Echelon, Peloton is targeting the Smart Connect EX1, EX3, EX4s, EX5, EX5s, EX-7s, EX-Pro and GT+ bikes; Stride and Stride-5s treadmills; Row, Row-s and Row-7s rowers; and the Echelon Fit app. Peloton claims that, before it released the Tread, “it was not well-known for treadmills to offer a leaderboard” and that Echelon now has a “copycat leaderboard” with an “‘Online Filter’ that allows users to ‘see who is taking an On Demand class at the same time.'”

Peloton has had a thorny relationship with both companies over the last few years. It has sued iFit (previously known as Icon Health and Fitness) over patent infringement in the past and vice versa. Peloton also filed suit against Echelon in 2019 for, among other things, “imitating the Peloton Bike experience.” Engadget has contacted iFit and Echelon for comment.

Editor’s note: This article originally appeared on Engadget.

Noname Security closes $60M Series B to eliminate API flaws

Enterprise API security startup Noname Security has raised a $60 million Series B funding round, just six months after closing $25 million at Series A. 

The round was led by Insight Partners with Next47, Forgepoint, and The Syndicate Group (TSG) also participating, and brings Noname’s total funding to $85 million since emerging from stealth in December 2020.

The startup, which currently has a 70-strong workforce and offices in Palo Alto and Tel Aviv, says it raised rapidly due to the fact the pandemic has fueled a growing dependence on APIs. Naturally, this proliferation of APIs has led to an increase in the number of API security incidents. Earlier this year, for example, an Experian API exposed the credit scores of nearly every American with one, and just weeks later a leaky Peloton API allowed anyone to grab users’ private account data directly from the company’s servers. Facebook, LinkedIn, Echelon, and Clubhouse have also fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms. 

“The need for API security was so strong and got super emphasized during the pandemic,” Oz Golan, CEO of Noname, tells TechCrunch. “We want to help organizations to leverage APIs securely, and we want to eliminate all of the API vulnerabilities out there. We don’t want another Experian incident.”

The Silicon Valley startup provides a holistic security platform that uses AI and machine learning to enable enterprises to see and secure managed and unmanaged APIs exposed by the organization, consumed by the organization, or used internally, thereby eliminating the API security blind spots. The majority of these flaws often go unnoticed for years, according to Noname, giving anyone who can find them unfettered access to an organization’s most sensitive operations.

“Even seasoned security professionals often have no idea how exposed their systems are,” Golan says.

In its six months since launch, the startup has amassed 40 technology, reseller, and channel partners, as well as “hundreds” of enterprise customers either in production or trialing the platform.

“Because of the huge traction that we have seen, we want to accelerate – expanding our sales team, marketing team, customer success, R&D. Basically growth, growth, growth,” says Golan, who previously served as director of engineering at NSO Group. 

Commenting on the funding round, Thomas Krane, principal at Insight Partners — which recently led a $75m Series C funding round in cybersecurity skills platform Immersive Labs — said: “The surging volume of APIs and the growing complexity of modern applications has led to an increase in cybersecurity obstacles. Noname came to market at just the right time with a fully realized, next-gen technology that’s making a big impact with global customers.”

API security is a hot ticket for investors right now. Last month, London-based 42Crunch raised a $17 million Series A, and just weeks later California-based Salt Security closed a $70 million Series C — bringing the total amount of funding the company has raised in the last year to $120 million.

An internal code repo used by New York State’s IT office was exposed online

A code repository used by the New York state government’s IT department was left exposed on the internet, allowing anyone to access the projects inside, some of which contained secret keys and passwords associated with state government systems.

The exposed GitLab server was discovered on Saturday by Dubai-based SpiderSilk, a cybersecurity company credited with discovering data spills at Samsung, Clearview AI and MoviePass.

Organizations use GitLab to collaboratively develop and store their source code — as well as the secret keys, tokens and passwords needed for the projects to work — on servers that they control. But the exposed server was accessible from the internet and configured so that anyone from outside the organization could create a user account and log in unimpeded, SpiderSilk’s chief security officer Mossab Hussein told TechCrunch.

When TechCrunch visited the GitLab server, the login page showed it was accepting new user accounts. It’s not known exactly how long the GitLab server was accessible in this way, but historic records from Shodan, a search engine for exposed devices and databases, shows the GitLab was first detected on the internet on March 18.

SpiderSilk shared several screenshots showing that the GitLab server contained secret keys and passwords associated with servers and databases belonging to New York State’s Office of Information Technology Services. Fearing the exposed server could be maliciously accessed or tampered with, the startup asked for help in disclosing the security lapse to the state.

TechCrunch alerted the New York governor’s office to the exposure a short time after the server was found. Several emails to the governor’s office with details of the exposed GitLab server were opened but were not responded to. The server went offline on Monday afternoon.

Scot Reif, a spokesperson for New York State’s Office of Information Technology Services, said the server was “a test box set up by a vendor, there is no data whatsoever, and it has already been decommissioned by ITS.” (Reif declared his response “on background” and attributable to a state official, which would require both parties agree to the terms in advance, but we are printing the reply as we were not given the opportunity to reject the terms.)

When asked, Reif would not say who the vendor was or if the passwords on the server were changed. Several projects on the server were marked “prod,” or common shorthand for “production,” a term for servers that are actively use. Reif also would not say if the incident was reported to the state’s Attorney General’s office. When reached, a spokesperson for the Attorney General did not comment by press time.

TechCrunch understands the vendor is Indotronix-Avani, a New York-based company with offices in India, and owned by venture capital firm Nigama Ventures. Several screenshots show some of the GitLab projects were modified by a project manager at Indotronix-Avani. The vendor’s website touts New York State on its website, along with other government customers, including the U.S. State Department and the U.S. Department of Defense.

Indotronix-Avani spokesperson Mark Edmonds did not respond to requests for comment.

Read more:

Echelon exposed riders’ account data, thanks to a leaky API

Image Credits: Echelon (stock image)

Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers, and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.

But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday, and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.

Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it.

Echelon’s API allows its members’ devices and apps to talk with Echelon’s servers over the internet. The API was supposed to check if the member’s device was authorized to pull user data by checking for an authorization token. But Masters said the token wasn’t needed to request data.

Masters also found another bug that allowed members to pull data on any other member because of weak access controls on the API. Masters said this bug made it easy to enumerate user account IDs and scrape account data from Echelon’s servers. Facebook, LinkedIn, Peloton and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms.

Ken Munro, founder of Pen Test Partners, disclosed the vulnerabilities to Echelon on January 20 in a Twitter direct message, since the company doesn’t have a public-facing vulnerability disclosure process (which it says is now “under review”). But the researchers did not hear back during the 90 days after the report was submitted, the standard amount of time security researchers give companies to fix flaws before their details are made public.

TechCrunch asked Echelon for comment, and was told that the security flaws identified by Masters — which he wrote up in a blog post — were fixed in January.

“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information,” said Chris Martin, Echelon’s chief information security officer, in an email.

Echelon did not name the outside security company but said while the company said it keeps detailed logs, it did not say if it had found any evidence of malicious exploitation.

But Munro disputed the company’s claim of when it fixed the vulnerabilities, and provided TechCrunch with evidence that one of the vulnerabilities was not fixed until at least mid-April, and another vulnerability could still be exploited as recently as this week.

When asked for clarity, Echelon did not address the discrepancies. “[The security flaws] have been remediated,” Martin reiterated.

Echelon also confirmed it fixed a bug that allowed users under the age of 13 to sign up. Many companies block access to children under the age of 13 to avoid complying with the Children’s Online Privacy Protection Act, or COPPA, a U.S. law that puts strict rules on what data companies can collect on children. TechCrunch was able to create an Echelon account this week with an age less than 13, despite the page saying: “Minimum age of use is 13 years old.”

Amazon taps Echelon for the Prime Bike, a $500 Peloton knock-off

Amazon teamed up with Echelon to build and sell the Prime Bike. The $500 exercise bike is a virtual clone of the $1900 Peloton bike minus the screen — even the color scheme and design are the same. The bike is available now from Amazon (and Walmart with slightly different branding).

Echelon builds several fitness products, including a smart mirror that’s eerily similar to Mirror. The Prime Bike is Echelon’s third smart bike with the other two feature video screens, and are available for $999 and $1,1999.

The Prime Bike has nearly every feature found on a Peloton bike from multiple adjustments to front-mounted wheels for easy movement. Instead of toe clips, the Prime Bike uses straps to lock riders’ feet to the pedals. However, the Prime Bike weighs 80 lbs instead of the Peloton’s 135 lbs, which suggests it’s not as well built and lacks the solid feel of a Peloton.

A screen is the notable missing feature, but that’s quickly resolved with a tablet. And since Peloton offers its classes through an app, Prime Bike buyers can even use Peloton’s service or Echelon’s service that’s very similar to Peloton’s offering.

“We were built on the idea of attainable fitness for everyone. The Prime Bike was developed in collaboration with Amazon, aiming to create an amazing, connected bike for less than $500, and it’s proven to be a phenomenal match,” said Lou Lentine, President, and CEO of Echelon Fitness. “Amazon looking to us to partner on their first-ever connected fitness product is recognition of our commitment to deliver quality at a reasonable price-point as reflected in our explosive growth over the last year.”
There are countless spinning bikes available for less than the Peloton cost, and many are available on Amazon. Few are as blatant of a knock-off as the Prime Bike, though. Amazon has a long, well-documented history of producing and selling products that draw heavy influence from popular products.

With this partnership with Echelon, Amazon is taking a big step towards Peloton, and Peloton’s stock responded in kind, dropping nearly 5% to $90 a share.

It’s worth noting the same exercise bike is available at Walmart for $500, where it sells under Echelon’s branding of the Connect Sport Bike.