It’s January and that means one thing: the CES Worst In Show awards. If you’re not hip to Worst In Show, its an effort by those of us who care about things like consumer rights, cybersecurity and sustainability to pull back the covers a bit on firehose of glowing press releases and “cool new technology” unveiling that happens every January at the Consumer Electronics Show (CES) in Las Vegas.
Together with groups like iFixit, PIRG, Electronic Frontier Foundation and Consumer Reports -not to mention leading thinkers like Cory Doctorow- Secure Repairs looks to highlight the less celebrated qualities of “cool new stuff” – privacy violations, lack of repairability, environmental sustainability as well as just “who the heck asked for this?!”
You can watch the full awards presentation here:
And then there are the cybersecurity risks. Secure Repairs is in its fifth year as one of the Worst In Show judges. Our past nominees for Worst in Show include hackable home routers by TP-Link and sensor rich, but insecure robot vacuums by Ecovacs.
Worst In Show For Cyber: MERACH Ultra Tread
Which brings us to this year’s CES “Worst in Show” winner when it comes to cybersecurity. The award for 2026 goes to MERACH, a China-based company that makes home exercise equipment. At CES this week, MERACH unveiled its latest product: the MERACH Ultra Tread—a series of home treadmills featuring a built-in conversational AI coach.
MERACH UltraTread
You Can’t Spell Privacy Without AI?
It’s 2026. Smart home exercise equipment is commonplace. Whether its Peloton’s high end stationary cycles, or Tonal’s “all in one” wall mounted home gyms, the integration of internet connectivity, sensors, and now large language model AI are standard features. What’s left unsaid is how these common features significantly raise the security stakes for the equipment manufacturers.
It goes without saying that sensor rich, Internet connected exercise equipment, that collects personal and financial information, biometric and health data is a rich potential target for malicious actors. Add large language model AI to the equation and the risks only get more concerning, given the way AI can correlate data and make inferences from the wealth of information seemingly innocent devices like treadmills and stationary cycles.
A Bomb In the Privacy Policy
Which brings us to MERACH’s Ultra Tread, an “LLM-powered treadmill.” While the inner workings of the Ultra Tread’s firmware and MERACH’s accompanying apps are almost certain to contain security risks (they’re common in smart home products), we needed look no further than MERACH’s official privacy policy to conclude that this product deserved this year’s “Worst in Show” title for cybersecurity.
In compliance with data privacy laws such as California’s Merach’s privacy policy provides details about the great variety of data its devices collect from customers.
But, in the section of the Privacy Policy related to security, the company makes a startling confession: “we cannot guarantee the security of your personal information.”
Yes, Merach said it tries to secure the data it collects, employing “a number of technical, organizational, and physical safeguards designed to protect the personal information we collect.” “However,” Merach goes on “the security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.”
This striking admission highlights a level of vulnerability that is concerning for a product intended to be part of a user’s daily routine. And it does not seem to be the norm. For example, Peloton, another maker of smart, Internet connected home exercise equipment, has a far more comprehensive and nuanced take on data privacy and security. On the issue of the “Security of Your Information,” Peloton’s Privacy Policy reads:
“We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. We maintain commercially reasonable administrative, technical and physical safeguards (which vary depending on the sensitivity of the personal information) designed to protect against unauthorized use, disclosure or access of personal information.” – Peloton Privacy Policy
Is that a guarantee? Absolutely not. And the fate of data stored on Peloton and Merach devices may be the same. But Peloton’s statement at least makes clear that the company is not ‘tossing in the towel’ and takes the job of protecting its customers data seriously.
Watch my presentation of the award here:
Why This Matters
In an era awash with data hungy smart devices and the accompanying data breaches, security is paramount. As Secure Repairs has made clear: the responsibility falls on manufacturers to ensure robust protection mechanisms are in place. Products such as the MERACH Ultra Tread, with capabilities to collect extensive data including health and biometric information, should meet the highest standards of cybersecurity to ensure consumer safety.
The company may simply be ‘saying the quiet part out loud,’ as the saying goes. But the failure to guarantee data protection exposes users to potential risks, from identity theft to privacy invasions.
This year’s “Worst in Show” decision serves as a warning to consumers to dig deeper into the smart products you are considering buying. And it is another critical reminder for manufacturers about the importance of cybersecurity. As technology continues to integrate deeper into our personal lives, the standards for privacy and data protection must evolve correspondingly. Products that do not meet these standards will face scrutiny and consequence.
For those attending CES and engaging with the latest tech innovations, it’s a reminder to prioritize asking difficult questions about data security and privacy for every product showcased. Let’s strive for a secure and resilient future together!