A vulnerability with thethat would have allowed hackers to access the machine’s tablet has been fixed after being identified by McAfee’s Advanced Threat Investigation team, the computer security company said in a blog post Wednesday. Hackers with physical access to Bike Plus, or access sometime from construction to delivery, would have been able to gain remote root access to the tablet and install malicious software, intercept traffic and personal data, and gain control of the bike camera and microphone, McAfee said.
An example of how this would play out is that a hacker could enter a gym with a Peloton Bike Plus and insert a USB key with a boot image file with malicious code. This would give them remote root access and the ability to install and run any program, change files, or configure backdoor remote access online. They could add malicious apps that look like Netflix or Spotify, for example, and users would enter their login information, which would be collected for other cyberattacks. They could make the bike’s camera and microphone spy on the user, and even decrypt communications between the bike and various cloud services and databases to intercept sensitive information.
McAfee was not aware of any real-world breaches that exploited the vulnerability. Peloton released a mandatory update in early June to protect its devices from the problem.
Peloton bikes saw a surge in popularity as people sought fitness options at home during COVID-19 lockdowns. There was a 22% increase in Peloton users between September and the end of December 2020, according to Backlinko, and by the end of the year there was more than 4.4 million members on the platform.
The researchers identified the vulnerability when, while looking for potential risks, they found that the bike allowed them to upload a file that was not intended for the Peloton hardware. That’s something that shouldn’t be possible on a locked device, they say. The McAfee ATR team informed Peloton about the vulnerability and began working with the company to issue a patch, which was tested and found to be effective on June 4.
The team advises consumers to stay abreast of software updates from device manufacturers and to also update mobile apps that pair with their Internet of Things devices. The researchers also say that you need to make sure that any IoT device you want to buy is from a trusted vendor who takes product safety seriously. Also, consider what information your device collects, how providers use that information, and what they share with third parties or other users.
“Above all, understand what control you have over your privacy and the use of information,” the researchers wrote on the blog. “It is a good sign if an IoT device allows you to choose not to collect your information or allows you to access and delete the data it collects.”
The information in this article is for educational and informational purposes only and is not intended to be medical or health advice. Always consult a physician or other qualified healthcare provider regarding any questions you may have about a medical condition or health goals.