The popular exercise bike Peloton Bike + and the corridor Peloton Tread contain one error which could allow cyber criminals to attack machine users (from stealing credentials to covert videotaping).
According Advanced Threat Research team research (ATR) of McAfee, the error allows a hacker to gain remote root access to Peloton's tablet. The tablet is the touch screen that is installed in the gym equipment for the provision of interactive content and for streaming (eg for guidance in training, etc.).
From there, a hacker could install malware, yes monitors activity and personal data of the user, even to controls the camera and microphone of Peloton Bike + or Tread via the Internet.
Thanks to the vulnerability, the criminal could install malicious applicationsWhich look like other apps like Netflix or Spotify. Malicious applications may be designed for collection of credentials. It is also possible video recording of user training, which a hacker could sell on the dark web.
Also, hackers can replace user content with intruder-controlled videos or even to destroy the entire tablet. Finally, attackers could decrypt Peloton Bike + encrypted communications with various cloud services and databases, gaining access to sensitive business and customer information.
However, in order to exploit the vulnerability, the intruder must have either physical access to the machine or anywhere in the supply chain (from construction to delivery). Therefore, the gyms they are in danger, since anyone can approach the gym equipment.
The intruder simply enters a small one USB key with one boot image file that contains malicious code and gives it remote root access.
According to McAfee, once the hacker gains access, interferes with the Peloton operating system and can install and run any programs, modify files and gain virtually full control of the Peloton Bike + Android operating system.
Peloton issued information in the latest firmware version. Gym owners using Peloton Bike + and Tread should inform the machines as soon as possible.
Although there is no evidence that supply-chain exploits have been introduced into the ecosystem, home users should update their firmware as soon as possible.
According to Adrian Stone, Peloton executive, “This vulnerability reported by McAfee would require immediate, physical access to a Peloton Bike + or Tread… To keep our members safe, we acted quickly and in coordination with McAfee. We released an update in early June and every device with the update installed is protected against this issue".