The popular Peloton Bike+ had a vulnerability which when exploited would have allowed an attacker to gain complete control over the device, including the camera and microphone to spy on the gym users.
The vulnerability was discovered by researchers from McAfee’s Advanced Threat Research (ATR) team. The flaw could be exploited by attackers to get remote root access to the Peloton’s “tablet.” The touch screen tablet allows users to access interactive and streaming content.
However, the attackers need physical access to the bike or access during any point in the supply chain (from construction to delivery).
The tablet, which is a standard Android device, when compromised would let an attacker install malware, eavesdrop on traffic, and take total control of the Bike+.
According to the analysis published by the experts, when a hacker enters a gym or fitness center with a Peloton Bike+, and inserts a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with.
After getting the access, the hacker interferes with the Peloton’s operating system and can now install and run any programs, modify files, or set up remote backdoor access over the internet.
The threat actor can also add malicious apps disguised as popular applications, such as Netflix or Spotify, that could allow them to steal the login credentials of the gym users. He could also collect information of users’ workouts or spy on them via the bike’s camera and microphone.
Attackers can then later decrypt the encrypted communications from the bike to various cloud services and databases it accesses, potentially accessing sensitive information.
The experts found that the Bike’s system did not verify that the device’s bootloader was unlocked before attempting to boot a custom image, allowing the experts to load a file that wasn’t meant for the Peloton hardware.
They demonstrated that it is possible to modify a legitimate update package for Bike+ which contained a valid boot image. McAfee experts modified the update package to achieve elevated permissions.
Peloton had addressed the vulnerability by releasing a new firmware version. In order to check if the bike is updated to the latest software, the users can check the Settings section of the touchscreen.
Peloton exercise equipment had gained more popularity during the pandemic, as it allows users to do gymnastic exercise from home, interacting with each other within an online community.
The Peloton devices are connected online and are equipped with a camera and microphone while these features can also pose a potential risk to the user in case of a hack.
Image Credits : CBS News