Peloton’s leaky API let anyone grab rider’s private account data

Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.

My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.

Peloton, the at-home fitness brand synonymous with its indoor stationary bike, has more than three million subscribers. Even President Biden is even said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)

But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics, and if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.

Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

But that deadline came and went, the bug wasn’t fixed, and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.

TechCrunch contacted Peloton after the deadline lapsed to ask why the vulnerability report had been ignored, and Peloton confirmed yesterday that it had fixed the vulnerability. (TechCrunch held this story until the bug was fixed in order to prevent misuse.)

Peloton spokesperson Amelise Lane provided the following statement:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

Masters has since put up a blog post explaining the vulnerabilities in more detail.

Munro, who founded Pen Test Partners, told TechCrunch: “Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.”

But questions remain for Peloton. When asked repeatedly, the company declined to say why it had not responded to Masters’ vulnerability report. It’s also not known if anyone maliciously exploited the vulnerabilities, such as mass-scraping account data.

Facebook, LinkedIn, and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms. But Peloton declined to confirm if it had logs to rule out any malicious exploitation of its leaky API.

Cognixion’s brain-monitoring headset enables fluid communication for people with severe disabilities

Of the many frustrations of having a severe motor impairment, the difficulty of communicating must surely be among the worst. The tech world has not offered much succor to those affected by things like locked-in syndrome, ALS, and severe strokes, but startup Cognixion aims to with a novel form of brain monitoring that, combined with a modern interface, could make speaking and interaction far simpler and faster.

The company’s One headset tracks brain activity closely in such a way that the wearer can direct a cursor — reflected on a visor like a heads-up display — in multiple directions or select from various menus and options. No physical movement is needed, and with the help of modern voice interfaces like Alexa, the user can not only communicate efficiently but freely access all kinds of information and content most people take for granted.

But it’s not a miracle machine, and it isn’t a silver bullet. Here’s where how it got started.

Overhauling decades-old brain tech

Everyone with a motor impairment has different needs and capabilities, and there are a variety of assistive technologies that cater to many of these needs. But many of these techs and interfaces are years or decades old — medical equipment that hasn’t been updated for an era of smartphones and high-speed mobile connections.

Some of the most dated interfaces, unfortunately, are those used by people with the most serious limitations: those whose movements are limited to their heads, faces, eyes — or even a single eyelid, like Jean-Dominique Bauby, the famous author of “The Diving Bell and the Butterfly.”

One of the tools in the toolbox is the electroencephalogram, or EEG, which involves detecting activity in the brain via patches on the scalp that record electrical signals. But while they’re useful in medicine and research in many ways, EEGs are noisy and imprecise — more for finding which areas of the brain are active than, say, which sub-region of the sensory cortex or the like. And of course you have to wear a shower cap wired with electrodes (often greasy with conductive gel) — it’s not the kind of thing anyone wants to do for more than an hour, let alone all day every day.

Yet even among those with the most profound physical disabilities, cognition is often unimpaired — as indeed EEG studies have helped demonstrate. It made Andreas Forsland, co-founder and CEO of Cognixion, curious about further possibilities for the venerable technology: “Could a brain-computer interface using EEG be a viable communication system?”

He first used EEG for assistive purposes in a research study some five years ago. They were looking into alternative methods of letting a person control an on-screen cursor, among them an accelerometer for detecting head movements, and tried integrating EEG readings as another signal. But it was far from a breakthrough.

A modern lab with an EEG cap wired to a receiver and laptop – this is an example of how EEG is commonly used.

He ran down the difficulties: “With a read-only system, the way EEG is used today is no good; other headsets have slow sample rates and they’re not accurate enough for a real-time interface. The best BCIs are in a lab, connected to wet electrodes — it’s messy, it’s really a non-starter. So how do we replicate that with dry, passive electrodes? We’re trying to solve some very hard engineering problems here.”

The limitations, Forsland and his colleagues found, were not so much with the EEG itself as with the way it was carried out. This type of brain monitoring is meant for diagnosis and study, not real-time feedback. It would be like taking a tractor to a drag race. Not only do EEGs often work with a slow, thorough check of multiple regions of the brain that may last several seconds, but the signal it produces is analyzed by dated statistical methods. So Cognixion started by questioning both practices.

Improving the speed of the scan is more complicated than overclocking the sensors or something. Activity in the brain must be inferred by collecting a certain amount of data. But that data is collected passively, so Forsland tried bringing an active element into it: a rhythmic electric stimulation that is in a way reflected by the brain region, but changed slightly depending on its state — almost like echolocation.

The Cognixion One headset with its dry EEG terminals visible.

They detect these signals with a custom set of six EEG channels in the visual cortex area (up and around the back of your head), and use a machine learning model to interpret the incoming data. Running a convolutional neural network locally on an iPhone — something that wasn’t really possible a couple years ago — the system can not only tease out a signal in short order but make accurate predictions, making for faster and smoother interactions.

The result is sub-second latency with 95-100 percent accuracy in a wireless headset powered by a mobile phone. “The speed, accuracy and reliability are getting to commercial levels —  we can match the best in class of the current paradigm of EEGs,” said Forsland.

Dr. William Goldie, a clinical neurologist who has used and studied EEGs and other brain monitoring techniques for decades (and who has been voluntarily helping Cognixion develop and test the headset), offered a positive evaluation of the technology.

“There’s absolutely evidence that brainwave activity responds to thinking patterns in predictable ways,” he noted. This type of stimulation and response was studied years ago. “It was fascinating, but back then it was sort of in the mystery magic world. Now it’s resurfacing with these special techniques and the computerization we have these days. To me it’s an area that’s opening up in a manner that I think clinically could be dramatically effective.”

BCI, meet UI

The first thing Forsland told me was “We’re a UI company.” And indeed even such a step forward in neural interfaces as he later described means little if it can’t be applied to the problem at hand: helping people with severe motor impairment to express themselves quickly and easily.

Sad to say, it’s not hard to imagine improving on the “competition,” things like puff-and-blow tubes and switches that let users laboriously move a cursor right, right a little more, up, up a little more, then click: a letter! Gaze detection is of course a big improvement over this, but it’s not always an option (eyes don’t always work as well as one would like) and the best eye-tracking solutions (like a Tobii Dynavox tablet) aren’t portable.

Why shouldn’t these interfaces be as modern and fluid as any other? The team set about making a UI with this and the capabilities of their next-generation EEG in mind.

Image of the target Cognixion interface as it might appear to a user, with buttons for yes, no, phrases and tools.

Image Credits: Cognixion

Their solution takes bits from the old paradigm and combines them with modern virtual assistants and a radial design that prioritizes quick responses and common needs. It all runs in an app on an iPhone, the display of which is reflected in a visor, acting as a HUD and outward-facing display.

In easy reach of, not to say a single thought but at least a moment’s concentration or a tilt of the head, are everyday questions and responses — yes, no, thank you, etc. Then there are slots to put prepared speech into — names, menu orders, and so on. And then there’s a keyboard with word- and sentence-level prediction that allows common words to be popped in without spelling them out.

“We’ve tested the system with people who rely on switches, who might take 30 minutes to make 2 selections. We put the headset on a person with cerebral palsy, and she typed our her name and hit play in 2 minutes,” Forsland said. “It was ridiculous, everyone was crying.”

Goldie noted that there’s something of a learning curve. “When I put it on, I found that it would recognize patterns and follow through on them, but it also sort of taught patterns to me. You’re training the system, and it’s training you — it’s a feedback loop.”

“I can be the loudest person in the room”

One person who has found it extremely useful is Chris Benedict, a DJ, public speaker, and disability advocate who himself has Dyskinetic Cerebral Palsy. It limits his movements and ability to speak, but doesn’t stop him from spinning (digital) records at various engagements, however, or from explaining his experience with Cognixion’s One headset over email. (And you can see him demonstrating it in person in the video above.)

DJ Chris Benedict wears the Cognixion Headset in a bright room.

Image Credits: Cognixion

“Even though it’s not a tool that I’d need all the time it’s definitely helpful in aiding my communication,” he told me. “Especially when I need to respond quickly or am somewhere that is noisy, which happens often when you are a DJ. If I wear it with a Bluetooth speaker I can be the loudest person in the room.” (He always has a speaker on hand, since “you never know when you might need some music.”)

The benefits offered by the headset give some idea of what is lacking from existing assistive technology (and what many people take for granted).

“I can use it to communicate, but at the same time I can make eye contact with the person I’m talking to, because of the visor. I don’t have to stare at a screen between me and someone else. This really helps me connect with people,” Benedict explained.

“Because it’s a headset I don’t have to worry about getting in and out of places, there is no extra bulk added to my chair that I have to worry about getting damaged in a doorway. The headset is balanced too, so it doesn’t make my head lean back or forward or weigh my neck down,” he continued. “When I set it up to use the first time it had me calibrate, and it measured my personal range of motion so the keyboard and choices fit on the screen specifically for me. It can also be recalibrated at any time, which is important because not every day is my range of motion the same.”

Alexa, which has been extremely helpful to people with a variety of disabilities due to its low cost and wide range of compatible devices, is also part of the Cognixion interface, something Benedict appreciates, having himself adopted the system for smart home and other purposes. “With other systems this isn’t something you can do, or if it is an option, it’s really complicated,” he said.

Next steps

As Benedict demonstrates, there are people for whom a device like Cognixion’s makes a lot of sense, and the hope is it will be embraced as part of the necessarily diverse ecosystem of assistive technology.

Forsland said that the company is working closely with the community, from users to clinical advisors like Goldie and other specialists, like speech therapists, to make the One headset as good as it can be. But the hurdle, as with so many devices in this class, is how to actually put it on people’s heads — financially and logistically speaking.

Cognixion is applying for FDA clearance to get the cost of the headset — which, being powered by a phone, is not as high as it would be with an integrated screen and processor — covered by insurance. But in the meantime the company is working with clinical and corporate labs that are doing neurological and psychological research. Places where you might find an ordinary, cumbersome EEG setup, in other words.

The company has raised funding and is looking for more (hardware development and medical pursuits don’t come cheap), and has also collected a number of grants.

The One headset may still be some years away from wider use (the FDA is never in a hurry), but that allows the company time to refine the device and include new advances. Unlike many other assistive devices, for example a switch or joystick, this one is largely software-limited, meaning better algorithms and UI work will significantly improve it. While many wait for companies like Neuralink to create a brain-computer interface for the modern era, Cognixion has already done so for a group of people who have much more to gain from it.

You can learn more about the Cognixion One headset and sign up to receive the latest at its site here.

Sony announces investment and partnership with Discord to bring the chat app to PlayStation

Sony and Discord have announced a partnership that will integrate the latter’s popular gaming-focused chat app with PlayStation’s own built-in social tools. It’s a big move and a fairly surprising one given how recently acquisition talks were in the air — Sony appears to have offered a better deal than Microsoft, taking an undisclosed minority stake in the company ahead of a rumored IPO.

The exact nature of the partnership is not expressed in the brief announcement post. The closest we come to hearing what will actually happen is that the two companies plan to “bring the Discord and PlayStation experiences closer together on console and mobile starting early next year,” which at least is easy enough to imagine.

Discord has partnered with console platforms before, though its deal with Microsoft was not a particularly deep integration. This is almost certainly more than a “friends can see what you’re playing on PS5” and more of a “this is an alternative chat infrastructure for anyone on a Sony system.” Chances are it’ll be a deep, system-wide but clearly Discord-branded option — such as “Start a voice chat with Discord” option when you invite a friend to your game or join theirs.

The timeline of early 2022 also suggests that this is a major product change, probably coinciding with a big platform update on Sony’s long-term PS5 roadmap.

While the new PlayStation is better than the old one when it comes to voice chat, the old one wasn’t great to begin with, and Discord is not just easier to use but something millions of gamers already do use daily. And these days, if a game isn’t an exclusive, being robustly cross-platform is the next best option — so PS5 players being able to seamlessly join and chat with PC players will reduce a pain point there.

Of course Microsoft has its own advantages, running both the Xbox and Windows ecosystems, but it has repeatedly fumbled this opportunity and the acquisition of Discord might have been the missing piece that tied it all together. That bird has flown, of course, and while Microsoft’s acquisition talks reportedly valued Discord at some $10 billion, it seems the growing chat app decided it would rather fly free with an IPO and attempt to become the dominant voice platform everywhere rather than become a prized pet.

Sony has done its part, financially speaking, by taking part in Discord’s recent $100 million H round. The amount they contributed is unknown, but perforce it can’t be more than a small minority stake given how much the company has taken on and its total valuation.

Apple sales bounce back in China as Huawei loses smartphone crown

Huawei’s smartphone rivals in China are quickly divvying up the market share it has lost over the past year.

92.4 million units of smartphones were shipped in China during the first quarter, with Vivo claiming the crown with a 23% share and its sister company Oppo following closely behind with 22%, according to market research firm Canalys. Huawei, of which smartphone sales took a hit after U.S. sanctions cut key chip parts off its supply chain, came in third at 16%. Xiaomi and Apple took the fourth and fifth spot respectively.

All major smartphone brands but Huawei saw a jump in their market share in China from Q1 2020. Apple’s net sales in Greater China nearly doubled year-over-year to $17.7 billion in the three months ended March, a quarter of all-time record revenue for the American giant, according to its latest financial results.

“We’ve been especially pleased by the customer response in China to the iPhone 12 family,”
said Tim Cook during an earnings call this week. “You have to remember that China entered the shutdown phase earlier in Q2 of last year than other countries. And so they were relatively more affected in that quarter, and that has to be taken into account as you look at the results.”

Huawei’s share shrunk from a dominant 41% to 16% in a year’s time, though the telecom equipment giant managed to increase its profit margin partly thanks to slashed costs. In November, it sold off its budget phone line Honor.

This quarter is also the first time China’s smartphone market has grown in four years, with a growth rate of 27%, according to Canalys.

“Leading vendors are racing to the top of the market, and there was an unusually high number of smartphone launches this quarter compared with Q1 2020 or even Q4 2020,” said Canalys analyst Amber Liu.

“Huawei’s sanctions and Honor’s divestiture have been hallmarks of this new market growth, as consumers and channels become more open to alternative brands.”

UK’s IoT ‘security by design’ law will cover smartphones too

Smartphones will be included in the scope of a planned “security by design” U.K. law aimed at beefing up the security of consumer devices, the government said today.

It made the announcement in its response to a consultation on legislative plans aimed at tackling some of the most lax security practices long-associated with the Internet of Things (IoT).

The government introduced a security code of practice for IoT device manufacturers back in 2018 — but the forthcoming legislation is intended to build on that with a set of legally binding requirements.

A draft law was aired by ministers in 2019 — with the government focused on IoT devices, such as webcams and baby monitors, which have often been associated with the most egregious device security practices.

Its plan now is for virtually all smart devices to be covered by legally binding security requirements, with the government pointing to research from consumer group “Which?” that found that a third of people kept their last phone for four years, while some brands only offer security updates for just over two years.

The forthcoming legislation will require smartphone and device makers like Apple and Samsung to inform customers of the duration of time for which a device will receive software updates at the point of sale.

It will also ban manufacturers from using universal default passwords (such as “password” or “admin”), which are often preset in a device’s factory settings and easily guessable — making them meaningless in security terms.

California already passed legislation banning such passwords in 2018 with the law coming into force last year.

Under the incoming U.K. law, manufacturers will additionally be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

The government said it will introduce legislation as soon as parliamentary time allows.

Commenting in a statement, digital infrastructure minister Matt Warman added: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

A DCMS spokesman confirmed that laptops, PCs and tablets with no cellular connection will not be covered by the law, nor will secondhand products. Although he added that the intention is for the scope to be adaptive, to ensure the law can keep pace with new threats that may emerge around devices.

Apple brings Touch ID to the Magic Keyboard

Apple has unveiled a new, colorful iMac today with an Apple-designed M1 chip. But that was just part of the story as the company used that opportunity to release new Mac accessories. In addition to a Magic Trackpad and a Magic Mouse with multiple color options, Apple is bringing Touch ID to desktop Macs with a new Magic Keyboard.

Touch ID on desktop works as expected. There’s a fingerprint sensor located at the top right of the keyboard. It replaces the ‘Eject’ key that you can find on existing Apple keyboards. It lets you unlock your computer, pay with Apple Pay, unlock a password manager and more.

Interestingly, Touch ID works wirelessly, which means that you don’t have to connect your keyboard to your Mac with a Lightning cable. There’s a dedicated security component built in the keyboard. It communicates directly with the Secure Enclave in the M1, which means that it only works with modern Mac computers with an M1 chip. It’s going to be interesting to see the security implementation of this new take on Touch ID.

Customers can choose between three keyboard models when they buy a new iMac. Some iMac models probably don’t come with Touch ID by default. You may be able to buy the keyboard separately, but we’ll have to wait for the event to end to find out how much the new keyboard costs.

Image Credits: Apple

Deep Science: Introspective, detail-oriented and disaster-chasing AIs

Research papers come out far too frequently for anyone to read them all. That’s especially true in the field of machine learning, which now affects (and produces papers in) practically every industry and company. This column aims to collect some of the most relevant recent discoveries and papers — particularly in, but not limited to, artificial intelligence — and explain why they matter.

It takes an emotionally mature AI to admit its own mistakes, and that’s exactly what this project from the Technical University of Munich aims to create. Maybe not the emotion, exactly, but recognizing and learning from mistakes, specifically in self-driving cars. The researchers propose a system in which the car would look at all the times in the past when it has had to relinquish control to a human driver and thereby learn its own limitations — what they call “introspective failure prediction.”

For instance, if there are a lot of cars ahead, the autonomous vehicle’s brain could use its sensors and logic to make a decision de novo about whether an approach would work or whether none will. But the TUM team says that by simply comparing new situations to old ones, it can reach a decision much faster on whether it will need to disengage. Saving six or seven seconds here could make all the difference for a safe handover.

It’s important for robots and autonomous vehicles of all types to be able to make decisions without phoning home, especially in combat, where decisive and concise movements are necessary. The Army Research Lab is looking into ways in which ground and air vehicles can interact autonomously, allowing, for instance, a mobile landing pad that drones can land on without needing to coordinate, ask permission or rely on precise GPS signals.

Their solution, at least for the purposes of testing, is actually rather low tech. The ground vehicle has a landing area on top painted with an enormous QR code, which the drone can see from a fairly long way off. The drone can track the exact location of the pad totally independently. In the future, the QR code could be done away with and the drone could identify the shape of the vehicle instead, presumably using some best-guess logic to determine whether it’s the one it wants.

Illustration showing how an AI tracks cells through a microscope.

Image Credits: Nagoya City University

In the medical world, AI is being put to work not on tasks that are not much difficult but are rather tedious for people to do. A good example of this is tracking the activity of individual cells in microscopy images. It’s not a superhuman task to look at a few hundred frames spanning several depths of a petri dish and track the movements of cells, but that doesn’t mean grad students like doing it.

This software from researchers at Nagoya City University in Japan does it automatically using image analysis and the capability (much improved in recent years) of understanding objects over a period of time rather than just in individual frames. Read the paper here, and check out the extremely cute illustration showing off the tech at right … more research organizations should hire professional artists.

This process is similar to that of tracking moles and other skin features on people at risk for melanoma. While they might see a dermatologist every year or so to find out whether a given spot seems sketchy, the rest of the time they must track their own moles and freckles in other ways. That’s hard when they’re in places like one’s back.

Deep Science: Introspective, detail-oriented and disaster-chasing AIs

Research papers come out far too frequently for anyone to read them all. That’s especially true in the field of machine learning, which now affects (and produces papers in) practically every industry and company. This column aims to collect some of the most relevant recent discoveries and papers — particularly in, but not limited to, artificial intelligence — and explain why they matter.

It takes an emotionally mature AI to admit its own mistakes, and that’s exactly what this project from the Technical University of Munich aims to create. Maybe not the emotion, exactly, but recognizing and learning from mistakes, specifically in self-driving cars. The researchers propose a system in which the car would look at all the times in the past when it has had to relinquish control to a human driver and thereby learn its own limitations — what they call “introspective failure prediction.”

For instance, if there are a lot of cars ahead, the autonomous vehicle’s brain could use its sensors and logic to make a decision de novo about whether an approach would work or whether none will. But the TUM team says that by simply comparing new situations to old ones, it can reach a decision much faster on whether it will need to disengage. Saving six or seven seconds here could make all the difference for a safe handover.

It’s important for robots and autonomous vehicles of all types to be able to make decisions without phoning home, especially in combat, where decisive and concise movements are necessary. The Army Research Lab is looking into ways in which ground and air vehicles can interact autonomously, allowing, for instance, a mobile landing pad that drones can land on without needing to coordinate, ask permission or rely on precise GPS signals.

Their solution, at least for the purposes of testing, is actually rather low tech. The ground vehicle has a landing area on top painted with an enormous QR code, which the drone can see from a fairly long way off. The drone can track the exact location of the pad totally independently. In the future, the QR code could be done away with and the drone could identify the shape of the vehicle instead, presumably using some best-guess logic to determine whether it’s the one it wants.

Illustration showing how an AI tracks cells through a microscope.

Image Credits: Nagoya City University

In the medical world, AI is being put to work not on tasks that are not much difficult but are rather tedious for people to do. A good example of this is tracking the activity of individual cells in microscopy images. It’s not a superhuman task to look at a few hundred frames spanning several depths of a petri dish and track the movements of cells, but that doesn’t mean grad students like doing it.

This software from researchers at Nagoya City University in Japan does it automatically using image analysis and the capability (much improved in recent years) of understanding objects over a period of time rather than just in individual frames. Read the paper here, and check out the extremely cute illustration showing off the tech at right … more research organizations should hire professional artists.

This process is similar to that of tracking moles and other skin features on people at risk for melanoma. While they might see a dermatologist every year or so to find out whether a given spot seems sketchy, the rest of the time they must track their own moles and freckles in other ways. That’s hard when they’re in places like one’s back.

Grover raises $71M to grow its consumer electronics subscription business

A startup tapping into the concept of the circular economy, where people don’t buy items outright but pay an incremental amount to use them temporarily, has raised some funding to scale its business in Europe and beyond. Grover, a Berlin-based startup that runs a subscription model where people can rent out consumer electronics like computers, smart phones, games consoles and scooters for set fees, has picked up €60 million ($71 million).

The funding is coming in the form of €45 million in equity and €15 million in venture debt.

The company, which as of September last year had 100,000 subscriptions and now has around 150,000, said it aims to triple its active users by the end of this year to 450,000 by the end of 2021. It will be using the funds both to expand to more markets: both to grow its business in Germany, Austria and the Netherlands (where it’s already operating) and to launch in Spain and the US, and to add in more product categories into the mix, including health and fitness devices, consumer robots and smart appliances.

And, it plans to invest in more innovation around its rental services. These have seen a new wave of interest in particular in the past year of pandemic life, which has put a strain on many people’s finances; definitely made it harder to plan for anything, including what gadgets you might need one week or the next; and turned the focus for many people on consuming less, and getting more mileage out of what they and others already have.

“Now more than ever, consumers value convenience, flexibility and sustainability when they shop for and use products. This is especially true when it comes to technology and all of the possibilities that it has to offer — whether that’s productivity, fun, or staying in touch with our loved ones,” said Michael Cassau, CEO and founder of Grover, in a statement. “The fresh funding allows us to bring these possibilities to even more people across the world. It enables us to double down on creating an unparalleled customer experience for our subscribers, and to push the boundaries of the most innovative ways for people and businesses to access and enjoy technology. The strong support from our investors confirms not only the important value our service brings to people, but also Grover’s vast growth potential. We’re still just scratching the surface of a €1 trillion global market.”

JMS Capital-Everglen led the Series B equity round, with participation also from Viola Fintech, Assurant Growth, existing investors coparion, Augmentum Fintech, Circularity Capital, Seedcamp and Samsung Next, and unnamed founders and angel investors from Europe and North America, among others. Kreos Capital issued the debt.

Samsung is a strategic investor: together with Grover it launched a subscription service in December that currently covers select models from its S21 series. “Samsung powered by Grover,” as it’s called, has started out out in Germany, so one plan may be to use some of this investment to roll that out to other markets.

The funding is coming on the heels of a year when Berlin-based Grover said its business grew 2.5x (that is, 150%). Its most recent annual report noted that it had 100,000 active users as of September of last year, renting out 18,000 smartphones, 6,000 pairs of AirPods and over 1,300 electric scooters in that period. It also said that in the most recent fiscal year, it posted net revenues of about $43 million, with $71 million in annual recurring revenue, and tipping into profitability on an Ebitda basis.

It raised €250 million ($297 million) in debt just before the start of the pandemic, and previously to that also raised a Series A of $44 million in 2018, and $48 million in 2019 in a combination of equity and debt in a pre-Series B. It’s not disclosing its valuation.

The company’s service falls into a wider category of startups building services around the subscription economy model, which has touched asset-intensive categories like cars, but also much lighter, internet-only consumables like music and video streaming.

Indeed, Grover has been regularly referred to as the “Netflix for gadgets,” in part a reference to the latter company’s history starting out by sending out physical DVDs to people’s homes (which they returned when finished to get other films under a subscription model).

Similar to cars and films, there is definitely an argument to be made for owning gadgets on a subscription. The pricier that items become — and the more of them that there are battling for a share of consumer’s wallets against many of the other things that they can spend money to own or use — the less likely it is that people will be completely happy to fork out money or build in financing to own them, not least because the value of a gadget typically depreciates the minute a consumer does make the purchase.

At the same time, more consumers are subscribing, and often paying electronically, to services that they use regularly: whether it’s a Prime subscription, or Spotify, the idea with Grover — and others that are building subscriptions around physical assets — is to adopt the friction-light model of subscribing to a service, and apply it to physical goods.

And for retailers, it’s another alternative to offer customers — alongside buying outright, using credit, or offering by-now-pay-later or other kinds of financing, in order to close a deal. Shopping cart abandonment, and competition for shoppers online, are very real prospects, so anything to catch incremental wins, is a win. And if they are working in a premium (cost-per-month of use, say) to give customers possession of the gadget in question, if they manage to secure enough business this way, it actually might prove to be even more lucrative than outright sales, especially if the maintenance of those goods is offloaded to a third party like Grover.

Although some people have regularly been wary of the idea of used consumer electronics, or other used goods, that has been shifting. There have been a number of companies seeing strong growth in the last year on the back of helping consumers resell their own items. This has been helped in part by buyers being more focused on spending less (and sellers maybe earning back some money in the process), but also being keen to reduce their own footprints in the world by using items that are already out in circulation. In Europe alone, last week, Brighton-based MPB raised nearly $70 million for its used-camera equipment marketplace. Other recent deals have included used-goods marketplace Wallapop in Spain raising $191 million and clothing-focused Vestiaire Collective raising $216 million.

What is interesting here is — whether it’s a sign of the times, or because Grover might have cracked the subscription model for gadgets — the company seems to be progressing in an area that has definitely seen some fits and bumps over the years.

Lumoid out of the U.S. also focused on renting out tech gear but despite finding some traction and inking a deal with big box retailer Best Buy, it failed to raise the funding it needed to run its service and eventually shut down.  It’s also not alone in trying to tackle the market. Others in the same space include Tryatec and Wonder, which seems to be focused more on trying out technology from startups.

The big question indeed is not just whether Grover will find more of a market for its rental/subscription model, but also whether it has cracked those economics around all of the supply chain management, shipping and receiving goods, reconditioning or repairing when needed, and simply keeping strong customer service throughout all of that. As we’ve seen many times, a good idea on one level can prove extremely challenging to execute on another.

Google denies Pixel 5a 5G cancelation, confirming it’s coming this year

Sometimes you’ve just got to confirm an unannounced product to put the rumors to bed, I guess. That was Google’s strategy this afternoon, following earlier rumors from Android Central that a chip shortage had put the kibosh on the mid-budget phone.

In a comment to TechCrunch, a Google spokesperson noted, “Pixel 5a 5G is not cancelled. It will be available later this year in the U.S. and Japan and announced in line with when last year’s a-series phone was introduced.”

That time frame would put the device’s arrival around late-summer, meaning it won’t arrive in time for Google I/O in May, as some speculated. Interestingly, the company appears to be limiting the device’s availability to two countries — at least at launch. That could, perhaps, be due to earlier-reported component shortages.

As The Verge notes, the company hasn’t been particularly precious when it comes to product announcements. The company took a similar approach ahead of the release of the Pixel. Either way, this isn’t exactly the standard big company approach to rumor denial, which is to either not answer or otherwise deflect.

Google may well be on edge about its Pixel line these days. The phone line hasn’t exactly taken the mobile world be storm, resulting in longstanding rumors that the company is looking to shake things up. That, in part, has seemingly been confirmed by some fairly high-profile exits.

Still, even while there have been issues on the premium side, the company’s budget “a” line has helped buoy its overall numbers. No word yet on specific specs, but the handset is not expected to be a radical departure from its predecessor.