Following news that Peloton’s API exposed private user account data, McAfee’s Advanced Threat Research team says the Bike+ had a dangerous flaw that could enable hackers to invisibly and remotely gain control of bikes.
McAfee says its researchers began poking around Peloton’s systems once the workout-at-home trend took off during the pandemic. In the process, they found that the Bike+ software wasn’t verifying whether the device’s bootloader was unlocked, enabling them to upload a custom image that wasn’t meant for Peloton hardware. After downloading an official Peloton update package, the researchers were then able to modify Peloton’s actual boot image and gain root access to the bike’s software. The Android Verified Boot process wasn’t able to detect that the image had been tampered with.
Or put more simply, a hacker could use a USB key to upload a fake boot image file that grants them access to a bike remotely without a user ever knowing. That hacker can then install and run programs, modify files, harvest login credentials, intercept encrypted internet traffic, or spy on users through the bike’s camera and microphone.
This vulnerability may not sound all that serious for home users, as it requires physical access to the Bike+ to pull off. However, McAfee says that a bad actor could load the malware at any point during construction, at a warehouse, or in the delivery process. The original Peloton bikes are also popular fixtures at gyms and fitness centers in hotels and apartment buildings—an area that the company is keen to expand in. Peloton dropped $420 million to acquire Precor in December, and a big reason why is that Precor had an extensive commercial network that includes hotels, corporate campuses, colleges, and apartment complexes. The Bike+ may not be commercially available at the moment, but that doesn’t mean they won’t be in the future.
Peloton reportedly patched the issue on June 4 during the disclosure window, and there are no indications the vulnerability has been exploited in the wild. The company also confirmed that the flaw was also found on the Peloton Tread, which was recalled last month along with the Peloton Tread+.
This is usually the point where we tell you to go and make sure you have the most recent firmware update—which you can do following these instructions. That said, the company doesn’t publicize software release notes. It’s an omission that Peloton should perhaps fix, considering how popular connected fitness has become in the past year. In cases like these, it’s a good idea to enable automatic updates if possible. Another thing to keep in mind is Peloton prohibits users from downloading other apps, such as Netflix or Spotify, onto its bikes and treadmills. (Though there are ways to get around that.) So, if you ever happen to be on a public Peloton and it has other apps... you probably shouldn’t use it.
Update, 06/16/2021, 8:40 am: Clarified that only original Peloton bikes are currently found in commercial settings. An earlier version of this article noted that it wasn’t easy to check Peloton updates; we’ve since added a link on how to verify you have the latest Peloton updates. We regret the error.