Peloton Bugs Expose Enterprise Networks to IoT Attacks

People could potentially lose more than just pounds by using a Peloton treadmill, as the Internet-connected fitness equipment also can leak sensitive data or pose as an initial-access pathway through an attack that compromises any of three key attack vectors, a researcher has found.

Researchers from Check Point Software took a deep dive into the popular Peloton Tread equipment and found that attackers can enter the system — which is essentially an Internet of Things (IoT) device — via the OS, applications, or by exploiting APIs to load various malware.

Hacking a Peloton Tread through any of these points could lead to the exposure not only of a user's personal data, but attackers could also leverage the machine's connectivity to move laterally to a corporate network to mount a ransomware or other type of high-level attacks, the researchers revealed in a blog post published this week.

"As fitness enthusiasts embrace the convenience and connectivity of these advanced workout machines, it becomes imperative to explore their potential vulnerabilities," according to the post, attributed to Check Point's Augusto Morales, technology lead for threat solutions; Shlomi Feldman, product management, Quantum IoT Protect & SD-WAN; and Mitch Muro, product marketing manager, Quantum IoT Protect & Quantum Spark.

The Peloton fitness brand is perhaps best known for its stationary bicycle and related application, which saw an explosive surge in popularity during the COVID-19 pandemic. The company also offers Peloton Tread, a companion treadmill device that operates on the Android OS, which was the focus of the researchers' investigation.

Researchers had also identified a previous flaw in the Peloton system which could have allowed attackers to remotely spy on victims through an open unauthenticated API. Indeed, its mere existence as an IoT device exposes the home fitness gear to the same vulnerabilities that any Internet-exposed device faces, and the potential risks to users that go along with them.

Check Point alerted Peloton of the flaws the researchers discovered. The company assessed them and ultimately determined that physical access to the device was required for exploitation, Peloton said in a statement published by Check Point.

"We have reviewed the reported issues and determined that they meet expected security measures for Android-based devices," Peloton said.

Hacking the Peloton OS

Indeed, one aspect that the researchers said makes the Peloton Tread vulnerable is the fact that it runs on Android, basically making it as vulnerable as any Android device to flaws that are present in the OS. What's more, the Peloton Tread is currently running about three versions behind of the current Android 13 —specifically, on Android 10 with a build number of QT.22082.A. This implies that "there could be potentially more than 1,100 vulnerabilities from 2022 and 2023 alone that could theoretically be exploited to compromise this treadmill," the researchers noted in the post.

Aside from that, a malicious actor could potentially enable USB debugging on Peloton Tread's OS and gain access to the shell, as well as obtain a list of all installed packages on the OS, the researchers found.

With the shell fully accessible, a threat actor can fetch any application for further analysis and/or reverse engineering, and exploit flaws on apps to take advantage of the embedded binaries to make lateral movements.

Exploiting Applications

With the applications exposed, attackers can explore which ones use rooting detection to prevent unauthorized software from running on non-approved hardware. Although this is a basic security measure, attackers can tap publicly available techniques for bypassing rooting detection to discover more vulnerabilities within the apps and exploit them to extract secrets or discover further API flaws in the backend.

The researchers shared an example of how a license key included in the code of embedded text-to-speech services was exposed via cleartext, making it available for potential abuse that could result in a denial-of-service (DoS) attack.

Attackers also could launch an escalation-of-privilege attack to gain access to personal data by exploiting any one of a number of unprotected services that expose non-Peloton apps running on the platform. "For instance, malware could exploit this lack of security control to obtain tokens," the researchers wrote.

Further, creating a malicious app to abuse broadcast receivers can put the machine in an infinite loop that could potentially disable update processes. "It would prevent vulnerability management and patching, fact that will facilitate keeping the treadmill under the malicious actor’s control," the researchers noted.

RAT-ting out APIs in the Android IoT Ecosystem

The aforementioned APIs that attackers can discover also can be exploited by attackers to execute Android code, paving the way for nefarious networking actions that take advantage of the device's always-on nature.

Further, attackers can use the APIs to install malware that exploit the machine's webcam and microphone for eavesdropping attacks. In fact, the Check Point team successfully compromised Peloton Tread in this way by sideloading a mobile remote access tool (MRAT), "effectively turning it into a zombie IoT device that can be remotely controlled," the researchers wrote.

Through the MRAT, the researchers gained full access to the treadmill’s functionalities, and could record audio, take pictures, access geolocation, and abuse the network stack, they said. They also could access the local area network (LAN) and capture images, which they shared in the post.

Unsuspected IoT Entry Point to the Enterprise

Another dangerous aspect of using a Peloton as the point of entry to an enterprise network is that it's highly unlikely that anyone would suspect a home workout machine would be the source of compromise for a work network. This gives malicious actors ample time to cover their tracks, the researchers noted.

It's especially important for anyone who uses a Peloton where another enterprise-connected device is present to implement comprehensive security protocols across all IoT devices, even if they don't consider it a risk.

"This involves gaining a thorough understanding of the software components of your devices, including your Peloton treadmill, and being prepared to mitigate cyber-attacks using non-standard methods," the researchers wrote.

From an enterprise perspective, network administrators should implement solutions that protect against the vulnerabilities and threats to all IoT-connected devices, including malware, botnets, and DDoS attacks.

Visibility solutions that monitor communications across IoT devices, both internal and external, can also help by administering zero-trust access policies that allow only necessary communications for normal IoT operations to pass through and flag and block suspicious connection attempts.