Jun 16 2021

A flaw in Peloton Bike+ could allow hackers to control it

Category: HackingDISC @ 10:21 am

A flaw in the Peloton Bike+ could be exploited by an attacker with initial physical access to gain root entry to the interactive tablet, taking complete control of the system.

A vulnerability in the popular Peloton Bike+ could have allowed an attacker to gain complete control over the device, including the camera and microphone to spy on the gym users.

The flaw was discovered by researchers from McAfee’s Advanced Threat Research (ATR) team, it could be exploited by attackers to gain remote root access to the Peloton’s “tablet.” The touch screen tablet allows users to access interactive and streaming content.

Experts pointed out that the attackers need physical access to the bike or access during any point in the supply chain (from construction to delivery),

Experts noticed that the tablet is a standard Android device, once compromised it, the attacker could install malware, eavesdrop on traffic, and take the full control of the Bike+.

“A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with.” reads the analysis published by the experts. “With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files, or set up remote backdoor access over the internet. “

The attackers could add malicious apps disguised as popular applications, such as Netflix or Spotify, that could allow them to steal the login credentials of the gym users. An attacker could also gather info regarding users’ workouts or spy on them via the bike’s camera and microphone.

Attackers could decrypt the encrypted communications from the bike to various cloud services and databases it accesses, potentially accessing sensitive information. 

The researchers discovered that the Bike’s system did not verify that the device’s bootloader was unlocked before attempting to boot a custom image, allowing the experts to load a file that wasn’t meant for the Peloton hardware.


Tags: flaw in Peloton Bike