Peloton Bike+ Bug Gives Hackers Complete Control

An attacker with initial physical access (say, at a gym) could gain root entry to the interactive tablet, making for a bevy of remote attack scenarios.

The popular Peloton Bike+ and Peloton Tread exercise equipment contain a security vulnerability that could expose gym users to a wide variety of cyberattacks, from credential theft to surreptitious video recordings.

According to research from McAfee’s Advanced Threat Research (ATR) team, the bug (no CVE available) would allow a hacker to gain remote root access to the Peloton’s “tablet.” The tablet is the touch screen installed on the devices to deliver interactive and streaming content, such as the motivational workout coaching that will be familiar to anyone watching TV commercials during the pandemic.

From there, a diligent hacker could install malware, intercept traffic and user’s personal data, and even control the Bike+ or Tread camera and microphone over the internet.

Some of the attack scenarios include adding malicious apps disguised as Netflix and Spotify designed to harvest login credentials for them to harvest for other cyberattacks. Or, someone could record people’s workouts for personal use, or to be put up for sale on the darker corners of the internet.

Nuisance attacks are possible too, like replacing content with attacker-controlled videos, or even bricking the tablets entirely. And, attackers could decrypt the bike’s encrypted communications with the various cloud services and databases it accesses, potentially intercepting all kinds of sensitive business and customer information.

There’s a catch though: An attacker would need either physical access to the workout machines or access during any point in the supply chain (from construction to delivery), McAfee noted – which means that gyms are the likeliest place for real-world exploitation.

Tiny USB, Big Consequences

The hack works like this: An attacker would simply insert a tiny USB key with a boot image file containing malicious code that grants them remote root access, researchers explained.

“Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with,” according to McAfee’s analysis. “With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files or set up remote backdoor access over the internet.”

At issue is the fact that Bike+ and Tread systems were not verifying that the device’s bootloader was unlocked before attempting to boot a custom image.

“This means that the [gear] allowed researchers to load a file that wasn’t meant for the Peloton hardware — a command that should normally be denied on a locked device such as this one,” researchers explained.

To weaponize the problem, researchers downloaded an update package for Bike+ directly from Peloton, which contained a valid boot image that McAfee simply modified to give them elevated permissions.

“The Verified Boot process on the bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file,” according to the writeup. “To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, [we] had gained complete control of the bike’s Android operating system.”

Come On, Peloton – You Got This!

Peloton issued a patch in the latest version of its firmware. Gym owners should of course initiate updates as soon as possible.

Thanks to COVID-19 driving more people to exercise inside their homes, the number of Peloton users grew 22 percent between September and the end of December, with more than 4.4 million members on the platform at year’s end, according to a shareholder letter. There’s no indication that any supply-chain exploits have been introduced into the ecosystem, but home users should nonetheless update their firmware too.

According to Adrian Stone, Peloton’s head of global information security, “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

To check whether the system is up-to-date, users can do so (and initiate an upgrade if necessary) straight from the tablet. It’s also a good idea to turn on automatic updating.

The news comes on the heels of a May revelation that the Peloton API responsible for uploading data from bikes to Peloton’s servers was exposing members’ private profile, age, city, workout history and more. Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free

Suggested articles