McAfee's software security company exposed a vulnerability in the Peloton Bike Plus that would have allowed hackers to have complete control over devices.
- A vulnerability with the Peloton Bike+ that would have allowed the hackers to access the machine's tablet has been fixed after being identified by McAfee's Advanced Threat Research team.
- The hackers could install malicious software, intercept personal data and gain control of the bike’s camera and microphone.
McAfee's software security company exposed a vulnerability in the Peloton Bike Plus that would have allowed hackers to have complete control over devices.
According to Backlinko, Peloton bikes saw a surge in popularity as people looked for in-homefitness options during COVID-19 lockdowns. There was a 22% increase in Peloton users between September and the end of December 2020.
The Advanced Threat Research Team at McAfee said the problem stemmed from the Android attachment that accompanies the Peloton stationary exercise Bike+.
"Viral marketing mishaps aside, Peloton has garnered attention recently regarding concerns surrounding the privacy and security of its products. So, we decided to take a look for ourselves and purchased a Pelton Bike+."
Hackers could insert a USB key with a boot image file with malicious code. This would give them remote root access and the ability to install and run any programs, change files or set up remote backdoor access online.
McAfee said attackers could access the bike through the port and install fake versions of popular apps like Netflix and Spotify, which could fool users into entering their personal information.
They could make the bike's camera and mic spy on the user and even decrypt communications between the bike and various cloud services and databases to intercept sensitive information.
“The flaw was that Peloton failed to validate that the operating system was loaded," said Steve Povolny, head of the threat research team. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam."
Peloton is the manufacturer of popular fitness machines. Peloton reportedly patched the issue on June 4 during the disclosure window, and there are no indications the vulnerability has been exploited in the wild.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?