Locked Out of ‘God Mode,’ Runners Hack Their Treadmills

Locked Out of ‘God Mode,’ Runners Hack Their Treadmills 1

JD Howard just wanted to watch cloud security tutorials. Howard, a construction industry worker on sabbatical, spent $4,000 on a NordicTrack X32i treadmill, lured in by its 32-inch HD screen and the opportunity to exercise body and mind. His plan was to spend his time away from work exercising while watching technical videos from learning platforms such as Pluralsight and Udemy. But his treadmill had other ideas.

Despite having a huge display strapped to it, NordicTrack’s hardware pushes people to subscribe to exercise software operated by iFit, its parent company, and doesn’t let you watch videos from other apps or external sources. iFit’s content includes exercise classes and running routes, which automatically change the incline of the treadmill depending on the terrain on the screen. But Howard, and many other NordicTrack owners, weren’t drawn to the hardware by iFit’s videos. They were drawn in by how easy the fitness machines were to hack.

To get into his X32i, all Howard needed to do was tap the touchscreen 10 times, wait seven seconds, then tap 10 more times. Doing so unlocked the machine—letting Howard into the underlying Android operating system. This privilege mode, a sort of God mode, gave Howard complete control over the treadmill: He could sideload apps and, using a built-in browser, access anything and everything online. “It wasn’t complicated,” Howard says. After accessing privilege mode he installed a third-party browser that allowed him to save passwords and fire up his beloved cloud security videos.

While NordicTrack doesn’t advertise privilege mode as a customer feature, its existence isn’t exactly a secret. Multiple unofficial guides tell people how to get into their machines, and even iFit’s support pages explain how to access it. The whole reason Howard bought the X32i, he says, was because he could access God mode. But the good times didn’t last long.

Since October, NordicTrack has been automatically updating all of its exercise equipment—its bikes, ellipticals, and rowing machines all have big screens attached—to block access to privilege mode. The move has infuriated customers who are now fighting back and finding workarounds that allow them to bypass the update and watch whatever they want while they work out.

“I got exactly what I paid for,” Howard says, adding that he already owned a “crappy” treadmill without a screen before he purchased the internet-connected model and is also a subscriber to the iFit software. “Now they’re trying to take away [features] that are of critical importance to me. I’m not OK with that.”

Another NordicTrack owner, who asked not to be named, says the treadmill is one of the most expensive purchases he’s ever made and he was “outraged” when the update stopped him and his partner from watching Netflix, YouTube, and English Premier League football highlights while they worked out. “You’ve actually pushed an update to stop me from doing this, which is really bizarre,” he says. “It’s so frustrating because this beautiful screen is here.”

They aren’t alone in their complaints. In recent weeks multiple threads and posts lamenting NordicTrack and iFit’s decision to lock down privilege mode have appeared online. Customers complain that they’ve spent thousands of dollars on their machines and should be able to do what they like with them, many arguing that being able to watch their favorite shows means they’re more likely to spend time working out. Some say they valued the ability to cast iFit’s exercise videos onto a bigger screen; other say they want to use their treadmills for Zoom calls. Many complain that, in contrast to previous software updates, the one to block privilege mode was forced upon them.

“The block on privilege mode was automatically installed because we believe it enhances security and safety while using fitness equipment that has multiple moving parts,” says a spokesperson for NordicTrack and iFit. The company has never marketed its products as being able to access other apps, the spokesperson adds. “As there is no way of knowing what kind of changes or errors a consumer could introduce into the software, there is no way of knowing what specific issues accessing privilege mode might cause,” the spokesperson says. “Therefore, to maintain security, safety, and machine functionality, we have restricted access to privilege mode.” The spokesperson also emphasizes that privilege mode was “never designed as a consumer-facing functionality.” Rather, it was designed to allow the company’s customer service team to remotely access the products to “troubleshoot, update, reset, or repair our software.”

The move puts the company at the center of the right-to-repair debate, with consumers increasingly demanding that companies let them alter the products they purchase. John Deere tractors, for example, have been criticized by farmers who are forced to use official dealerships for vehicle repairs. Broadly, the right to repair can include everything from making spare parts available to ensuring items can legally be resold. Having spent years ignoring pleas from right-to-repair advocates, Apple recently announced it would release repair manuals and spare parts for iPhones and Macs for the first time. Its shift in attitude follows regulatory pressure for better right-to-repair rules from the US government. Draft laws are expected in Europe toward the end of 2022.

Not officially being able to watch third-party videos isn’t unique to NordicTrack. Peloton’s terms of service prohibit the installation of other apps. That hasn’t stopped people from installing them though—online videos and guides show people accessing a hidden web browser and logging into Netflix using a tapping method similar to that used with the NordicTrack equipment. Peloton Reddit community members also detail how to install other apps on Peloton’s Android tablet.

The right to repair should include allowing people to tinker with software, advocates say. “I think a lot of the pushback from consumers stems from the disconnect between the expectations that we have about ownership,” says Aaron Perzanowski, a professor of law at Case Western Reserve University in Cleveland, Ohio. “We’ve made our payments, we believe we own this device, and then we find out later that the story is much more complicated.”

When you purchase physical products, intellectual property and copyright laws can mean the creators of software still retain the rights over their code—potentially putting people in breach of licensing agreements, warranties, or terms of service if they tamper with their devices. (The US Office of Copyright has recently increased some of the protections offered to consumers.)

“I should be able to refuse a software update if I discover that it actually makes my use of the product worse than before, because ultimately, that product is mine,” says Ugo Vallauri, cofounder of The Restart Project, a London-based organization that campaigns for the right to repair and encourages people to use their electronics for longer to help reduce waste. “We need to rebalance the rights so that consumers, if they actually have bought a product, have full control over it.”

NordicTrack says it supports right-to-repair rules. However, because of its equipment’s moving parts, the spokesperson says, it believes that restricting access to its operating system is important for safety. Someone unlocking a treadmill in a commercial gym could potentially expose people to settings they are unfamiliar with. “If we ascertain that a product owner has found a workaround to access privilege mode, the product warranty may be void,” the spokesperson adds.

Despite this, NordicTrack owners aren’t giving up the fight just yet. YouTube videos detailing workarounds are still easy to find, with disgruntled NordicTrack owners collaborating to dodge the blocks. At the moment, the most popular hacks involve factory resetting devices and reconfiguring Wi-Fi router settings to block the company pushing out automatic updates. “The software that appears on the machine after a factory reset is actually quite old,” Howard says. “But from that baseline, you have access to everything.”

Alongside his cybersecurity studies, Howard says he has been scrutinizing NordicTrack’s software, and he claims to have found lots of other ways to get around the privilege mode block—but has not disclosed what these are. Despite the warnings from NordicTrack, he’s confident the company won’t be able to stop him and others from watching what they want in the long run. “If I have to decompile their software and reprogram it myself,” he says, “I’ll find a way.”


More Great WIRED Stories