A flaw in Peloton Bike+ could allow hackers to control it

A flaw in the Peloton Bike+ could be exploited by an attacker with initial physical access to gain root entry to the interactive tablet, taking complete control of the system.

A vulnerability in the popular Peloton Bike+ could have allowed an attacker to gain complete control over the device, including the camera and microphone to spy on the gym users.

The flaw was discovered by researchers from McAfee’s Advanced Threat Research (ATR) team, it could be exploited by attackers to gain remote root access to the Peloton’s “tablet.” The touch screen tablet allows users to access interactive and streaming content.

Experts pointed out that the attackers need physical access to the bike or access during any point in the supply chain (from construction to delivery),

Experts noticed that the tablet is a standard Android device, once compromised it, the attacker could install malware, eavesdrop on traffic, and take the full control of the Bike+.

“A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with.” reads the analysis published by the experts. “With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files, or set up remote backdoor access over the internet. “

The attackers could add malicious apps disguised as popular applications, such as Netflix or Spotify, that could allow them to steal the login credentials of the gym users. An attacker could also gather info regarding users’ workouts or spy on them via the bike’s camera and microphone.

Attackers could decrypt the encrypted communications from the bike to various cloud services and databases it accesses, potentially accessing sensitive information. 

The researchers discovered that the Bike’s system did not verify that the device’s bootloader was unlocked before attempting to boot a custom image, allowing the experts to load a file that wasn’t meant for the Peloton hardware.

The experts demonstrated that it is possible to modify a legitimate update package for Bike+ which was containing a valid boot image. McAfee experts modified the update package to achieve elevate permissions.

“The Verified Boot process on the bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file,” continues the report. “To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, [we] had gained complete control of the bike’s Android operating system.”

Peloton already addressed the vulnerability with the release of a new firmware version, the easiest way to verify that a bike is updated to the latest software is to check the Settings section of the touchscreen. 

Early this year Peloton made the headlines after a Popular Mechanics report revealed that President Joe Biden was going to move to the White House and likely he will have to give up his Peloton exercise equipment for security reasons.

Peloton exercise equipment’s popularity surged during the pandemic, it allows users to do gymnastic exercise from home, interacting with each other within an online community.

Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.

Biden’s Peloton may have to be modified to secure the exercise equipment, removing the microphone, camera, and networking equipment.

In May researchers reported that Peloton API uploading data from bikes to Peloton’s servers was exposing gym users’ private profiles and more. Pen Test Partners security researcher Jan Masters discovered that a flaw allowed anyone to access users’ private account data from Peloton’s servers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Peloton)

[adrotate banner=”5″]

[adrotate banner=”13″]