A Security Vulnerability Was Just Discovered on Peloton Bikes

Thankfully, this malware/privacy issue seems to have a quick and easy fix

A detail of Brody Longo strapping his foot into his Peloton exercise bike pedal before he works out on April 16, 2021 in Brick, New Jersey
Some Peloton bike models have a security flaw that require a software fix
Michael Loccisano/Getty Images

A security flaw could allow malware to be installed on some Peloton bikes, according to NBC News.

The software security firm McAfee discovered the security flaw on the Peloton Bike+ models, where a USB port could allow bad actors to install fake versions of popular apps like Spotify and Netflix, which would then be able to ask for personal information from users. They would also be able to access a rider’s mic and camera.

While this is unlikely to happen at home, in a public space like a gym this could present problems. And it’s pretty easy to find those public Peloton bikes online, according to the McAfee team.

“The flaw was that Peloton actually failed to validate that the operating system loaded,” said Steve Povolny, head of the McAfee threat research team. “And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.”

As Peloton noted on their site yesterday, the company works with external security researchers issue on issues like these, and this particular security flaw was reported months ago and fixed. As they wrote: “McAfee’s Advanced Threat Research … uncovered a security issue where an attacker with physical access to a Peloton Bike+ or a Peloton Tread could ultimately take control of the device. The issue reported to us by McAfee requires that an attacker be able to connect directly to one of the USB ports on the tablet on the Bike+ or the Tread. They would then be able to modify the software on the device, and could then install malware or access data that is communicated between the device and our services. Like with any connected device in the home, if an attacker is able to gain physical access to it, the need for additional physical controls and safeguards becomes increasingly important.”

A screen with a mandatory Peloton software update
You’ll have to update your Peloton software to fix this security issue

The company does note that this fix requires a mandatory software update.

It’s been a rough year for Peloton, which has already recalled Tread+ treadmills after one child death and 70 incidents. Not to mention that the bikes might be crushing your private parts.

Win the Ultimate Formula 1® Crypto.com Miami Grand Prix Experience

Want the F1 experience of a lifetime? Here’s your chance to win tickets to see Turn 18 Grandstand, one of Ultimate Formula 1® Crypto.com Miami Grand Prix’s most premier grandstands!