Peloton Bug Could Give Hackers Control of Exercise Equipment

Hackers with physical access to the popular Peloton Bike+ and Peloton Tread exercise equipment could reportedly gain root entry to the device’s tablet, allowing them to perform a number of remote attacks including taking over the exercise equipment’s web camera.

Threat Post reports that the popular Peloton Bike+ and Peloton Tread exercise equipment contain a security vulnerability that could expose gym users to a number of cyberattacks ranging from personal data theft to secret video recording.

According to research from McAfee’s Advanced Threat Research (ATR) team, the bug would allow a hacker to gain remote root access to the tablet installed on the Peloton devices. This tablet is the touch screen installed on the device to deliver streaming content including workout coaching and even allowing video calls using an integrated camera.

Once a hacker has gained root access, it is easy to install malware, intercept traffic and user’s personal data, and even control the camera and microphone of the tablet. Some attack scenarios include adding malicious apps disguised as normal services such as Netflix and Spotify to steal login credentials. Hackers could also record video or audio of users while they exercise, possibly intercepting phone calls and learning personal details.

However, an attacker would initially need physical access to the machines to gain root access, making gyms the primary place for real-world exploitation. Hackers would simply have to insert a USB key with a boot image file that would grant them remote root access into the device.

McAfee’s analysis states: “Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with. With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files or set up remote backdoor access over the internet.”

COMMENTS