Posted on June 18, 2021 at 9:57 AM
It has come to the attention of cybersecurity firms that popular gym equipment, namely Peloton Bike and the Peloton Tread, harbours a security vulnerability that hackers can exploit. The vulnerability could make gym users victims of a wide range of cyberattacks, theft of personal details, and unauthorized video recordings.
McAfee Advanced Threat Research (ATR) team discovered the bug and stated that hackers could gain remote access to the Peloton tablet by exploiting it. The tablet is an important feature of the exercise equipment that allows the user to access online content such as workout training videos.
By gaining access to this tablet, a hacker can then deploy malware, monitor traffic and access a user’s data. The bug even allows the hacker to gain access to the Peloton’s camera and microphone.
One of the mechanisms that hackers exploited in the attack includes creating duplicate apps of platforms such as Netflix and Spotify to steal user login details. The malware could also record videos of workout sessions to sell later on the dark web.
Other attacks include replacing useful content on the tablet with attacker-controlled videos. Attackers could also gain access to encrypted communication through the cloud and databases linked to the Peloton. This allows them to access sensitive information.
However, not all hackers can access and exploit the vulnerability to the Peloton workout equipment. According to McAfee, a hacker will need physical access to the machine or be part of the supply chain at any point ranging from manufacturing to delivery. This means that the hackers mainly access the equipment from the gym.
How does the Hack Work?
McAfee explained how the hack would work in which they stated that a hacker needed to insert a tiny USB drive into the equipment. The USB contained a small key with a boot image file with malicious code. The USB grants the user remote access to the equipment.
In its study, McAfee stated that “Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with.” “With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files or set up remote backdoor access over the internet.”
The vulnerability in the peloton equipment is that it did not detect the new boot command. According to MacAfee, the equipment should normally deny the addition since it was not inbuilt with the device’s software.
The MacAfee researchers stated that “The Verified Boot process on the bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file.” “To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, [we] had gained complete control of the bike’s Android operating system.”
Peloton Issues Updates
Peloton has issued an update in the latest version of its firmware. Those owning the Peloton equipment have been urged to make updates to prevent the vulnerability from compromising the security of gym-goers. In addition, home users have been urged to install the update because the vulnerability may have been exploited in the supply chain. The updates can be done from the tablet, or a user can enable automatic updates.
The vulnerability was likely exploited due to the increase in people joining gyms after lockdowns caused by Covid-19. According to a report issued by Peloton, the number of Peloton increased by 22% between September and December 2020 to reach over 4.4 million users.
The head of global information security for Peloton, Adrian Stone, spoke on the matter stating that, “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June, and every device with the update installed is protected from this issue.”
It is not the first time that Peloton’s software has been exposed for its vulnerabilities. In May, Jan Masters, a security researcher from Pen Test Partners, revealed that the Peloton API was not protecting user’s private profiles, including age, city and workout history. The profiles were exposed despite user’s setting them to private.