McAfee’s Advanced Threat Research (ATR) team researchers have identified a vulnerability in the popular Peloton Bike+ and Peloton Tread exercise machines what could allow them to take full control over the exercise equipment and use the machines in a range of different attack scenarios.
To exploit the vulnerability, an attacker would need to have physical access to a machine. If the flaw is exploited, an attacker could gain root access to the tablet (touchscreen) on the devices which is used to deliver interactive and streaming content to exercisers. That access would allow a hacker to install malware, remotely intercept traffic, steal personal data, and also take control of the camera and microphone on the devices, as well as causing the tablet to fail.
The equipment has proven popular throughout the pandemic with people exercising at home rather than heading to gyms. President Biden is known to use the Peloton Bike every day, which allows him and other users to take part in group exercise sessions. Video and microphone access could pose a major security risk, and videos of celebrities and other individuals could be traded on dark net forums. While there are several potential attack scenarios, the installation of a malicious app is one of the easiest. Adding a malicious app, for a film or music streaming service for example, could allow an attacker to steal credentials.
While initial access to the device is required, that could easily be gained in a gym session. After which, all future users of that device could be at risk. The flaw could also be exploited in a supply chain attack prior to the devices being shipped.
To explain the flaw, an attacker would need to connect a small USB key with a boot image file that includes malicious code to gain root access. The vulnerability is due to the software failing to verify that the device’s bootloader has been unlocked prior to attempting to boot a custom image. The researchers exploited the flaw by downloading a Bike+ update from Peloton that contained a valid boot image, which was then modified to provide elevated (root level) permissions. Since there was no verification mechanism, the operating system started normally with the researchers gaining full access to the Android operating system, without showing any signs that device had been compromised.
“Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with,” said McAfee. “With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files or set up remote backdoor access over the internet.”
Peloton has since issued an update for the firmware to correct the problem. All owners of the devices, including gyms, should apply the update as soon as possible to prevent exploitation of the flaw and ensure that automatic updating is enabled so any future security issues are automatically addressed.