Attackers could upload a fake boot image that allows remote access to the exercise bike without the user’s knowledge.
A dangerous vulnerability has been discovered in Peloton Bike + exercise bikes that could allow attackers to remotely take control of them.
McAfee researchers became interested in Peloton equipment when demand for them began to skyrocket during the pandemic. In their research, they found that the Bike + exercise bike software did not check to see if the bootloader was unlocked, thereby allowing attackers to load their own image that was not intended for Peloton hardware. After downloading the official Peloton service pack, the researchers were able to modify the true boot image and access the exercise bike software with superuser privileges. However, the Android Verified Boot process was unable to establish that the image was modified.
Simply put, using a USB dongle, attackers can upload a fake boot image file that gives them remote access to the exercise bike without the user’s knowledge. They can then download and launch applications, modify files, steal credentials, intercept encrypted Internet traffic, and even spy on the user through the exercise bike’s camera and microphone.
The vulnerability does not pose a significant threat to home users as it requires physical access to the exercise bike in order to exploit it. However, as the researchers explained, attackers can download malware at any time during device manufacturing, in a warehouse, or during delivery. In addition, Peloton machines are often installed in gyms and fitness centres in hotels and apartment buildings, where they can be easily accessed.
The manufacturer released a fix for the vulnerability on June 4, 2021, meeting the deadline for public disclosure of the vulnerability. No evidence has yet been found that hackers are already exploiting it. The issue also affects Peloton Tread bike lanes, which were recalled last month, and Peloton Tread +.
Catch up on more stories here
Follow us on Facebook here