Most Peloton users ride the sleek bikes to get strong. But what happens if there’s a weakness in the equipment’s tech security?
A security flaw in Peloton’s Bike+ model could leave the machine open to hackers, allowing them access to users’ credentials, control of the camera, and other operations, according to an independent investigation published Wednesday from security software company McAfee.
Such a breach would require someone to have physical access to a Peloton bike and to plug another device into the USB port to access the Android operating system, explained Steve Povolny, head of advanced threat research at McAfee.
“When your operating system on your computer boots up, it should be checking that that’s the operating system that it expects,” he said in an interview. “In this case, the Android operating system here used by Peloton on their Bike+ is really just failing that expected check.”
Without that check, Povolny said, the McAfee researchers could load their own customized operating system, giving them full control over every aspect of the $2,495 Bike+ from any remote setting.
“That’s where we talked about harvesting credentials, we talked about accessing the camera on the microphone and really anything that you can do on this operating system for the bike, that’s what they could do now, remotely,” he said.
This vulnerability also was present on Peloton Tread exercise equipment, McAfee confirmed.
The hacked Peloton equipment showed no signs of tampering, either to users or to engineers, Povolny said.
Importantly, McAfee found no evidence that the security flaw, which has been patched, had been exploited by hackers, he added.
The most likely scenario for such a hack, Povolny said, would be in a location like a gym or hotel, where there is open access to the bikes. Another possibility, he noted, would be somebody tampering with devices en masse in the supply chain, to then be sent out like “Trojan horses” into people’s homes or other settings.
“Supply chain stuff has really proliferated over the last couple of years, and that’s one of the reasons we felt it was really important to work with Peloton to get this one patched,” he said.
McAfee, which also has done research on the security of Tesla electric vehicles and medical devices, reported the security concern to Peloton through its Coordinated Vulnerability Disclosure program on March 2. McAfee operates under responsible disclosure, meaning it alerts a vendor to a security issue and then offers 90 days to respond prior to disclosing it publicly.
After working with McAfee for three months, Peloton pushed out a mandatory update to all of its machines to remedy the issue in June, effectively locking users out of the bikes until they completed the update.
“Peloton fixed the issue within the standard disclosure timeframe and every device with the update installed is protected from this issue,” Peloton said in a statement to the Globe Wednesday. “Peloton also does not currently offer Peloton Bike+ or Tread for commercial use and the vulnerability McAfee reported would require direct, physical access to a Peloton Bike+ or Tread to exploit the issue.”
Sam Quinn, a security researcher on the Advanced Threat Research team at McAfee, said the update proved “very effective” at mitigating the potential for a security breach or eliminating the access of anybody who had already hacked into the device.
“I have to give [Peloton] major kudos,” Povolny said. “They locked their own customers out of using a product they bought to prioritize the security update ... this is really something that we preach as something that should be status quo across theindustry.”
The security flaw is just the lastest safety issue for Peloton. In May, the company came out with a security update that fixed a leak that was revealing personal information from a user’s account, CNN reported.
Also in May, Peloton recalled about 125,000 of its treadmills that were linked to the death of a child and injuries to 29 others, after previously pushing back against a warning from the U.S. Consumer Product Safety Commission regarding the machines. Peloton offered full refunds for the $4,200 Tread+ treadmills, and stopped selling them. That same day, Peloton’s stock plummeted 14.6 percent, its second-biggest one-day percentage decline since the stock started trading in 2019, the Associated Press reported.
Povolny said “the trend is not going down” on these types of attacks, and they are growing more complex. To protect yourself from security breaches, he suggested applying updates or bug fixes to your personal devices whenever they become available, and practicing “strong password hygiene” by using long, complicated, unrepeated passwords and a password manager.
“We’ve seen the Colonial Pipeline attack, the meat processor food ransomware, so we’re seeing all sorts of variations of attack very similar to this across almost every single industry sector,” Povolny said. “Anything that’s a computer system as a baseline is subject to an attack, and Peloton is no exception.”