A now patched issue in the Peloton Bike+ could have allowed a remote attacker to execute code remotely and control the device’s features, such as its video camera and audio system.
Peloton is the US manufacturer of incredibly popular fitness machines, such as the Peloton Bike and the Peloton Tread.
In their report, McAfee researchers details how they managed to hack the smart bike, which turned out not secure – nor smart – enough. For the study, researchers bought a Peloton Bike+ to try to challenge its Android operating system.
Under the attractive exterior there is a standard Android tablet, McAfee wrote:
“Under the hood of this glossy exterior, however, is a standard Android tablet, and this hi-tech approach to exercise equipment has not gone unnoticed,” explained security researchers Sam Quinn and Mark Bereza.
Due to the many privacy and security concerns surrounding Peloton’s products, they decided to purchase a Pelton Bike+ and see for themselves.
Android allows devices to install a modified image without flashing the device. This procedure is called fastboot boot and it reverts the OS to its default boot software on reboot. Like in newer Android versions that lock the device to prevent unauthorized access to the boot images, the Peloton’s fastboot command showed the Peloton was in a locked state as well. However, researchers discovered that a bug prevented the system to verify if the device is unlocked, and so they could still load a modified boot image.
By doing this, researchers showed that modified code could be run on the device. The researchers then repeated the same with a valid boot image for the device but with a ‘su’ command added for elevated privileges. With physical access to the device, they loaded the modified boot.img into a modified Peloton Bike+, and managed to root the device.
While the device continued to function normally, they now could run any Android app they wanted.
McAfee reported the vulnerability that could allow an attacker to execute arbitrary code on a system to Peloton and it was fixed in “PTX14A-290” software version.
Many establishments such as hotels and vacation rentals are now offering Peloton bikes and treadmill rentals to their guests. While Peloton is not a bank or email account, if a threat actor installs malware on the device and gets into an account of a user, they could potentially steal sensitive information like credentials. The threat actors could then use stolen credentials to try and compromise other websites with the same credentials.
Once threat actors gain root privileges, they can also turn on Pelton’s camera and microphone to spy on its users.
It is also important to note that Pelotons are considered infrastructure by their respective owners and may sit on the internal network of their chosen commercial location, and not on a walled-off guest network, researchers warned. A compromised Peloton would not have outward signs of tampering. However, if it was hacked by a threat actor, it could be used to remotely access the network without anyone being aware of it.
