A vulnerability in the Peloton Bike+ could have allowed an attacker to remotely spy on users, McAfee's Advanced Threat Research (ATR) team found.
The bug, which has already been addressed through a mandatory patch issued to affected devices worldwide, could have given an attacker remote root access to the Peloton tablet. Researchers note a threat actor would have required physical access to the equipment in order to take advantage of the flaw.
"The hacker could install malicious software, intercept traffic and user's personal data, and even gain control of the Bike's camera and microphone over the internet," McAfee wrote in a blog post on the discovery.
This flaw was found in the Android Verified Boot (AVB) process. It could be exploited, for example, on Peloton equipment in a gym or a hotel and then used to spy on riders or harvest user credentials, McAfee researchers explained.
The security firm says Peloton confirmed the vulnerability is also present on Peloton Tread exercise equipment. McAfee informed Peloton about the vulnerability in March and the patch was tested and confirmed earlier this month.
McAfee says the discovery is a reminder to consumers that IoT fitness equipment and devices require the same level of security as any connected device, like a computer or a smartphone.
The report from McAfee can be read here.