Peloton fixes flaw on bikes that could have let bad actors access tablets



A patch has been issued for a Peloton vulnerability. 


A vulnerability with the Peloton Bike Plus that would have let hackers access the machine’s tablet has been fixed after being identified by McAfee’s Advanced Threat Research team, the computer security company said in a blog post Wednesday. Hackers with physical access to the Bike Plus, or access at some point from construction to delivery, would have been able to get remote root access to the tablet and install malicious software, intercept traffic and personal data, and gain control of the bike’s camera and microphone, McAfee said.

An example of how this would play out is a hacker could enter a gym with a Peloton Bike Plus and insert a USB key with a boot image file with malicious code. This would give them remote root access and the ability to install and run any programs, change files or set up remote backdoor access online. They could add malicious apps that look like Netflix or Spotify, for example, and users would then enter their login info, which would be gathered for other cyberattacks. They could make the bike’s camera and mic spy on the user, and even decrypt communications between the bike and various cloud services and databases to intercept sensitive information. 

McAfee wasn’t aware of any real-world breaches that took advantage of the vulnerability. Peloton pushed out a mandatory update in early June to protect its devices from the issue. 

Peloton bikes saw a surge in popularity as people looked for in-home fitness options during COVID-19 lockdowns. There was a 22% increase in Peloton users between September and the end of December 2020, according to Backlinko, and by the end of the year there were more than 4.4 million members on the platform.

Researchers pinpointed the vulnerability when, while looking for potential risks, they found the bike allowed them to load a file that wasn’t meant for Peloton’s hardware. That’s something that shouldn’t be possible on a locked device, they say. The McAfee ATR team told Peloton about the vulnerability and began working with the company to issue a patch, which was tested and found to be effective on June 4. 

The team advises consumers to stay on top of software updates from device manufacturers, and to also update mobile apps that pair with their internet of things devices. Researchers also say to ensure that any IoT device you want to buy is from a reputable seller that takes product security seriously. Additionally, be aware of the information the device collects, how vendors use that information and what they share with third parties or other users. 

“Above all, understand what control you have over your privacy and information usage,” researchers wrote in the blog. “It is a good sign if an IoT device allows you to opt out of having your information collected or lets you access and delete the data it does collect.”

See also: Peloton Bike vs. Peloton Bike Plus: The differences that matter 

The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.