Sticky-note security turned gym into hall of '80s horrors

Even fitness equipment is vulnerable to mischief makers these days

by · The Register

PWNED Welcome back to Pwned, the column where we share war stories from IT soldiers who shot themselves – or watched someone else shoot themselves – in the foot. Today's tale shows that even when you're setting up something as simple as fitness gear, there's no excuse for leaving security credentials lying around.

Our story this week comes from someone we will Regomize as JC, a proprietor of a company that sells and installs used gym equipment. He had a contract with a hotel to install some cardio equipment with video screens, designed to let exercisers watch Netflix over the LAN.

However, one of JC's employees left the default admin PIN for the equipment on a Post-it note attached to one of the treadmills. This allowed a hotel guest to log into the control panel and queue up '80s music videos. We have no idea what songs the troublesome traveler chose, but we have to imagine that Olivia Newton-John's "Physical" was first on the playlist.

Hearing the sounds coming from the gym, the staff at the hotel front desk wondered if their gym was haunted. However, they eventually learned that someone had left YouTube playing rather than logging into Netflix. Fortunately, the "attacker" didn't do any real damage, but if someone more enterprising had gained control of these machines, they could have potentially used them for command-and-control attacks.

For his part, JC said that he has taken the incident as a learning opportunity. Now his team isolates all consoles on a guest VLAN, changes the default passwords, and even disables USB ports on fitness equipment. They patch the consoles during burn-in and even lock network plates so no one can pull the Ethernet cables out and attach their own devices to the LAN.

Merritt Maxim, VP and research director at Forrester Research, said he would also restrict outgoing access at the firewall level so that the gym machines could only send and receive data from Netflix. Otherwise, hackers who gained access to the fitness machines could cause a lot more damage.

Last week, we talked about a coffee maker that became the threat surface for a company. This situation is not much different, with both stories showing how important it is to lock down connected devices, no matter how little they resemble a computer.

Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity available upon request. ®

Showing the Windows 10 desktop was the yeast they could doBork!Bork!Bork!: Fresh and healthy, just like Windows 11 isn'tRichard Speed, 08 Apr 2026Windows asks a networking question on a Stratford billboardBork!Bork!Bork!: Glue and paper wouldn't have cared about discoverabilityRichard Speed, 06 Apr 2026When a billboard survives the wind, but not the bootBork!Bork!Bork!: This GRUB is not an advert for some tasty fried foodRichard Speed, 03 Apr 2026To BSOD or not to BSOD? Only Microsoft knows the answerBork!Bork!Bork!: Famous blue screens remind conference of security pros that this OS sometimes has bad daysRichard Speed, 28 Mar 2026