The popular Peloton Bike+ & Peloton Tread exercise equipment contain a security vulnerability that could expose gym users to a wide variety of cyber-attacks, from credential theft to hidden video recordings.
An attacker with initial physical access (e.g., a gym) could gain root entry to the interactive tablet, making for many remote attack scenarios.
Says research from McAfee’s Advanced Threat Research (ATR) team, the bug (no CVE available) would allow a hacker to gain remote root access to the Peloton’s “tablet.”
The tablet is the touch screen installed on the devices to deliver interactive & streaming content, such as the motivational workout coaching that will be familiar to anyone watching TV commercials during the pandemic.
From there, a diligent hacker could install malware, intercept traffic & user’s personal data, & even control the Bike+ or Tread camera & microphone over the internet.
Some of the attack scenarios include adding malicious apps disguised as Netflix & Spotify designed to harvest login credentials for them to harvest for other cyber-attacks. Also, recordings could be people’s workouts for personal use, or to be put up for sale on the nasty parts of the internet.
Nuisance attacks are possible too, like replacing content with attacker-controlled videos, or even bricking the tablets entirely. Attackers could decrypt the bike’s encrypted communications with the various cloud services & databases it accesses, potentially intercepting all kinds of sensitive business & customer information.
There is a catch. An attacker would need either physical access to the workout machines or access during any point in the supply chain (from construction to delivery), McAfee noted – which means that gyms are the likeliest place for real-world exploitation.
The hack works thus: An attacker would simply insert a tiny USB key with a boot image file containing malicious code that grants them remote root access, researchers explained.
“Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with,” according to McAfee’s analysis. “With their newfound access, the hacker interferes with the Peloton’s operating system & now has the ability to install & run any programs, modify files or set up remote backdoor access over the internet.”
At issue is the fact that Bike+ and Tread systems were not verifying that the device’s bootloader was unlocked before attempting to boot a custom image.
Weaponize the Problem
“This means that the gear allowed researchers to load a file that wasn’t meant for the Peloton hardware — a command that should normally be denied on a locked device such as this one,” researchers explained.
To weaponize the problem, researchers downloaded an update package for Bike+ directly from Peloton, which contained a valid boot image that McAfee simply modified to give them elevated permissions.
“The Verified Boot process on the bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file,” according to the writeup.
“To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, we had gained complete control of the bike’s Android operating system.”
Come On, Peloton – You Got This!
Peloton issued a patch in the latest version of its firmware. Gym owners should of course initiate updates as soon as possible.
Because of COVID-19 driving more people to exercise inside their homes, the number of Peloton users grew 22% between Sept. & the end of Dec., with more than 4.4m members on the platform at year’s end, according to a shareholder letter.
There is no indication that any supply-chain exploits have been introduced into the ecosystem, but home users should update their firmware too.
Explained Adrian Stone, Peloton’s Head of Global Information Security, “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread.
Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls & safeguards become increasingly important.
To keep our members safe, we acted quickly & in coordination with McAfee. We pushed a mandatory update in early June & every device with the update installed is protected from this issue.”
To check whether the system is up-to-date, users can do so (& initiate an upgrade if necessary) straight from the tablet. It’s also good practice to turn on automatic updating.
This news comes after a May revelation that the Peloton API responsible for uploading data from bikes to Peloton’s servers was exposing members’ private profile, age, city, workout history & more. Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to take users’ private account data right off Peloton’s servers, regardless of their profiles being set to private.