Today, McAfee’s Advanced Threat Research (ATR) is releasing a vulnerability disclosure for the Peloton Bike+.
This vulnerability could allow someone with physical access to the bike, or access during any point in the supply chain (from construction to delivery), to gain remote access to the Peloton’s tablet, including the camera, microphone and personal data.
During COVID-19, Peloton bikes became the go-to, at-home fitness solution for consumers and its number of users grew. As we continue to adapt to a digital-first lifestyle, it is therefore critical that British consumers consider the implications of having more digital touchpoints in our daily activities – and are vigilant about staying educated around cybersecurity, claims the cybersecurity company.
It was during this exploratory process that McAfee discovered that the bike’s system was not verifying that the device’s bootloader was unlocked before attempting to boot a custom image. This means that the bike allowed researchers to load a file that wasn’t meant for the Peloton hardware — a command that should normally be denied on a locked device such as this one. Their first attempt only loaded a blank screen, so the team continued to search for ways to install a valid, but customized boot image, which would start the bike successfully with increased privileges.
After some digging, researchers were able to download an update package directly from Peloton, containing a boot image that they could modify. With the ability to modify a boot image from Peloton, the researchers were granted root access. Root access means that the ATR team had the highest level of permissions on the device, allowing them to perform functions as an end-user that were not intended by Peloton developers.
The Verified Boot process on the Bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file. To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, ATR had gained complete control of the Bike’s Android operating system.
You can see more information over at McAfee’s dedicated blog here and you can also see McAfee’s video below: