Peloton workouts are susceptible to hacking leading to malware and spying, claims McAfee’s Advanced Threat Research team.
According to their latest research, a vulnerability, classified as CVE-2021-3387, was discovered in the touchscreen of Peloton Bike+ and Tread+, allowing threat actors to control it remotely, without any involvement of the equipment’s operating system.
The $2,495 bike is one of the most commonly used equipment from the company.
What are the Dangers?
The flaw was identified in the Peloton Bike’s software. McAfee researchers noted that it could be exploited to install malicious applications in the guise of popular apps like Spotify or Netflix and steal the user’s login credentials and personal data.
Moreover, bad actors can use it to access the Peloton bike’s microphone and camera and spy on the user.
Which Bikes are At-Risk?
In a blog post, researchers wrote that the bikes used in public spaces and hotels were the most at-risk equipment since hackers can easily access the screen and insert malicious code from a USD drive to exploit the flaw.
The high-tech bells and whistles, which are the features that make this bike worth over $2,000, posed the most significant security threat. Since the devices have a camera and microphone, an attacker can easily spy on the user or monitor the bike’s place.
On the other hand, the low-priced Peloton Bike was found to be unaffected by the flaw because its touchscreen is different. However, researchers claimed that the company says this flaw was identified on Peloton Tread exercise equipment. But McAfee’s research scope was limited to the Bike+.
The Flaw has been Fixed.
After the flaw was detected, McAfee contacted Peloton and shared details of the vulnerability. The two companies cooperatively developed and issued a patch. The software update was released earlier in June, followed by an official statement from Peloton’s Head of Global Information Security, Adrian Stone, which read:
“This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important.”
“To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”