Yesterday, the McAfee Advanced Threat Research (ATR) team published a blog post detailing a security issue they had found for the Peloton Bike+ & Tread. This issue would allow for an attacker to have full remote control of Peloton equipment, including monitoring all network traffic and having access to the video camera & microphone. There are two important things to note about this vulnerability 1) It has been patched since early June and 2) It required physical access to Peloton hardware at first to take enable the remote access.
For the technically inclined, you can see a full step by step process that McAfee’s team took to find the bug here. The short version is that the Peloton Bike+ (and Tread as well) was set up to boot custom operating systems, and not verify that what it was trying to boot was modified. This meant that if you were able to get physical access to a Peloton Bike+, and plug in a a USB key or computer, you could then boot up the Bike with a modified operating system that included remote access for you later. McAfee included a video showing the attack in action here:
The McAfee team worked with Peloton to disclose the vulnerability and waited a few weeks after it was patched to detail the exploit. Peloton provided this statement:
Peloton’s Head of Global Information Security, Adrian Stone, shared the following “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”
The blog post also mentions that once you had full remote/root access, you could also install modified third party programs like Netflix or Spotify (or ones that just looked like them) in order to steal users login credentials. Given the hoops you have to jump through on Peloton equipment to access any extra third party apps that might have been installed, the remote access & ability to monitor the video camera seem like the bigger of the two issues with this vulnerability.
McAfee notes that they are continuing to examine the Peloton software for other vulnerabilities – so we might see additional disclosures in the future from their team.
You can double check that your Peloton is on the latest version by following Peloton’s directions here.
This disclosure follows news from last month that Peloton’s API had potentially been exposing some private member data.