McAfee recently reported that it had exposed vulnerability in the Peloton Bike+ that enabled attackers to install malware through a USB port and spy on riders. McAfee is an American global computer security software company which is headquartered in Santa Clara (California), and Peloton Bike+ is known as an American exercise equipment and media company situated in New York.
McAfee’s Advanced Threat Research Team revealed that the problem was primarily with the Android attachment that comes along with the Peloton stationary exercise Bike+. Attackers could potentially get access to the bike through the port and install fake versions of popular applications such as Spotify, Netflix, etc., which would help fool users into providing their personal information.
The active threat present in a Peloton Bike+ in a public shared place like a gym or a hotel would be even more vulnerable to attacks. The problem arose because Peloton failed to take into consideration that the operating system loaded. This means that ultimately attackers can install malicious software and then create Trojan horses, thus, giving them back doors into the bike. The threat is quite severe as the user’s webcams could be easily accessed in this manner.
Interactive Maps are widely available online and show Peloton bikes and treadmills present in the U.S., which would make things even easier for the attacker in finding those spots in public spaces and finally accessing user’s accounts. Hackers would then have no problem uploading a completely customized malicious image, granting them access to all kinds of devices like the rider’s camera, microphone, and apps.
Peloton confirmed that engineers from McAfee had contacted them to alert the problem as part of their Coordinated Vulnerability Disclosure Program. They have teamed up to solve the issue quickly and effectively. The company also pushed a mandatory update for the affected devices very recently that was able to successfully address the vulnerability.
The peloton was also submerged in a similar controversy last month where due to safety concerns in the device, numerous people were injured, and a child was reported dead. The CPSC (Consumer Product Safety Commission) has issued a warning urging parents against using the Tread+ as it could be harmful to children. However, the company had soon accepted its mistake and went on working towards curing all the problems related to its device.
Due to incidents like these, experts have always suggested that when it comes to devices that connect to the internet, which are a way for hackers to get to your personal data. The most suitable way to keep safe is by turning on automatic software updates or keeping security software for your home network.