A Security Vulnerability Was Just Discovered on Peloton Bikes
Thankfully, this malware/privacy issue seems to have a quick and easy fix
A security flaw could allow malware to be installed on some Peloton bikes, according to NBC News.
The software security firm McAfee discovered the security flaw on the Peloton Bike+ models, where a USB port could allow bad actors to install fake versions of popular apps like Spotify and Netflix, which would then be able to ask for personal information from users. They would also be able to access a rider’s mic and camera.
While this is unlikely to happen at home, in a public space like a gym this could present problems. And it’s pretty easy to find those public Peloton bikes online, according to the McAfee team.
“The flaw was that Peloton actually failed to validate that the operating system loaded,” said Steve Povolny, head of the McAfee threat research team. “And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.”
As Peloton noted on their site yesterday, the company works with external security researchers issue on issues like these, and this particular security flaw was reported months ago and fixed. As they wrote: “McAfee’s Advanced Threat Research … uncovered a security issue where an attacker with physical access to a Peloton Bike+ or a Peloton Tread could ultimately take control of the device. The issue reported to us by McAfee requires that an attacker be able to connect directly to one of the USB ports on the tablet on the Bike+ or the Tread. They would then be able to modify the software on the device, and could then install malware or access data that is communicated between the device and our services. Like with any connected device in the home, if an attacker is able to gain physical access to it, the need for additional physical controls and safeguards becomes increasingly important.”
The company does note that this fix requires a mandatory software update.
Thanks for reading InsideHook. Sign up for our daily newsletter and be in the know.
Suggested for you