a vulnerability withThe computer security company said in a blog post on Wednesday that it allowed hackers to access the machine’s tablet after it was identified by McAfee’s Advanced Threat Research team. Hackers with physical access to the Bike Plus, or access at some point from manufacture to delivery, will be able to gain remote root access to the tablet and install malicious software, intercept traffic and personal data, and gain control of the bike’s camera . microphone, McAfee said.
An example of how this would work is that a hacker could enter a gym with Peloton Bike Plus and insert a USB key with a boot image file containing malicious code. This will give them remote root access and the ability to install and run any program, convert files, or set up remote backdoor access online. For example, they can add malicious apps that look like Netflix or Spotify, and users will then enter their login information, which will be collected for other cyber attacks. They can spy on the bike’s camera and mic on the user, and can also decrypt the communication between the bike and various cloud services and databases to intercept sensitive information.
McAfee was not aware of any real-world breaches that took advantage of the vulnerability. Peloton pushed out a mandatory update in early June to protect its devices from this issue.
Peloton bikes saw a rise in popularity as people looked for in-home fitness options during the COVID-19 lockdown. According to Backlinko, there was a 22% increase in Peloton users between the end of September and December 2020, and the platform had over 4.4 million members by the end of the year.
The researchers pinpointed the vulnerability while looking for potential risks, finding that the bikes allowed them to load a file that was not for Peloton’s hardware. That’s something that shouldn’t be possible on a locked device, he says. The McAfee ATR team informed Peloton about the vulnerability and began working with the company to release a patch, which was tested and found to be effective on June 4.
The team advises consumers to stay on top of software updates from device manufacturers, and also to update mobile apps that integrate with their Internet of Things devices. The researchers also say to make sure that any IoT device you choose to buy is from a reputable vendor that takes product security seriously. In addition, be aware of the information the device collects, how vendors use that information and what they share with third parties or other users.
“Above all, understand what control you have over your privacy and use of the information,” the researchers wrote in the blog. “It’s a good sign if an IoT device allows you to opt out of collecting your information or lets you access and delete the data it collects.”
The information contained in this article is for educational and informational purposes only and is not intended to be health or medical advice. Always consult a physician or other qualified health provider with any questions you may have about a medical condition or health objectives.