June 17, 2021
A vulnerability in the Peloton Bike+ could have allowed an attacker to remotely spy on users, McAfee's Advanced Threat Research (ATR) team found.
The bug, which has already been addressed through a mandatory patch issued to affected devices worldwide, could have given an attacker remote root access to the Peloton tablet. Researchers note a threat actor would have required physical access to the equipment in order to take advantage of the flaw.
"The hacker could install malicious software, intercept traffic and user's personal data, and even gain control of the Bike's camera and microphone over the internet," McAfee wrote in a blog post on the discovery.
This flaw was found in the Android Verified Boot (AVB) process. It could be exploited, for example, on Peloton equipment in a gym or a hotel and then used to spy on riders or harvest user credentials, McAfee researchers explained.
The security firm says Peloton confirmed the vulnerability is also present on Peloton Tread exercise equipment. McAfee informed Peloton about the vulnerability in March and the patch was tested and confirmed earlier this month.
McAfee says the discovery is a reminder to consumers that IoT fitness equipment and devices require the same level of security as any connected device, like a computer or a smartphone.
The report from McAfee can be read here.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023