HomesecurityPeloton Bike +: Error allows hackers to take full control

Peloton Bike +: Error allows hackers to take full control

The popular exercise bike Peloton Bike + and the corridor Peloton Tread contain one error which could allow cyber criminals to attack machine users (from stealing credentials to covert videotaping).

Peloton Bike +

According Advanced Threat Research team research (ATR) of McAfee, the error allows a hacker to gain remote root access to Peloton's tablet. The tablet is the touch screen that is installed in the gym equipment for the provision of interactive content and for streaming (eg for guidance in training, etc.).

See also: NSW Health: Vulnerability of data through an Accellion system

From there, a hacker could install malware, yes monitors activity and personal data of the user, even to controls the camera and microphone of Peloton Bike + or Tread via the Internet.

Thanks to the vulnerability, the criminal could install malicious applicationsWhich look like other apps like Netflix or Spotify. Malicious applications may be designed for collection of credentials. It is also possible video recording of user training, which a hacker could sell on the dark web.

Also, hackers can replace user content with intruder-controlled videos or even to destroy the entire tablet. Finally, attackers could decrypt Peloton Bike + encrypted communications with various cloud services and databases, gaining access to sensitive business and customer information.

Peloton error

However, in order to exploit the vulnerability, the intruder must have either physical access to the machine or anywhere in the supply chain (from construction to delivery). Therefore, the gyms they are in danger, since anyone can approach the gym equipment.

The intruder simply enters a small one USB key with one boot image file that contains malicious code and gives it remote root access.

According to McAfee, once the hacker gains access, interferes with the Peloton operating system and can install and run any programs, modify files and gain virtually full control of the Peloton Bike + Android operating system.

See also: Tech support scammers target Microsoft / McAfee customers with fake subscription renewals

Peloton issued information in the latest firmware version. Gym owners using Peloton Bike + and Tread  should inform the machines as soon as possible.

Peloton Tread

Although there is no evidence that supply-chain exploits have been introduced into the ecosystem, home users should update their firmware as soon as possible.

See also: Electric bikes: Why have their prices increased?

According to Adrian Stone, Peloton executive, “This vulnerability reported by McAfee would require immediate, physical access to a Peloton Bike + or Tread… To keep our members safe, we acted quickly and in coordination with McAfee. We released an update in early June and every device with the update installed is protected against this issue".

Source: ThreatPost

Digital fortress
Pursue Your Dreams & Live!