The popular Peloton Bike+ had a vulnerability that, if exploited, would have given an attacker entire control of the gadget, including the camera and microphone, allowing them to spy on gym members.
Researchers from McAfee’s Advanced Threat Research (ATR) team uncovered the vulnerability.
Attackers could use the weakness to get remote root access to the Peloton’s “tablet.” Users can use the touch screen tablet to view interactive and streaming content.
The attackers, on the other hand, require physical access to the bike or access at any point in the supply chain (from construction to delivery).
When the tablet, which is a regular Android device, is hacked, the attacker will be able to install malware, listen in on traffic, and gain complete control of the Bike+.
When a hacker enters a gym or fitness center with a Peloton Bike+ and inserts a tiny USB stick with a boot image file carrying malicious malware that enables them remote root access, according to the experts’ findings.
There is no evidence that the bike has been tampered with because the attacker does not need to factory unlock it to load the malicious image.
After gaining access to the Peloton’s operating system, the hacker can now install and execute any programs, edit data, and set up remote backdoor access via the internet.
The threat actor can even install malicious code that look like popular apps like Netflix or Spotify, allowing them to steal gym users’ login credentials.
He could also use the bike’s camera and microphone to collect information about users’ exercises or to spy on them.
Attackers can then decrypt the encrypted communications sent by the bike to the numerous cloud services and databases it uses, potentially gaining access to sensitive data.
The experts discovered that the Bike’s system didn’t check to see if the device’s bootloader was unlocked before attempting to boot a modified image, allowing them to load a file that wasn’t intended for the Peloton hardware.
They demonstrated that a legitimate update package for Bike+ that contained a valid boot image could be modified.
To acquire elevated rights, McAfee experts changed the update package.
Peloton had released an updated firmware version to resolve the issue.
Users can check the Settings page on the touchscreen to see if the bike has been updated to the latest software.
During the pandemic, Peloton exercise equipment became more popular since it allowed people to practice gymnastic exercise at home while communicating with others in an online community.
The Peloton devices are connected to the internet and include a camera and microphone, which can pose a security risk to the user in the event of a hack.