Peloton Bugs Expose Enterprise Networks to IoT Attacks

/in


People could potentially lose more than just pounds by using a Peloton treadmill, as the Internet-connected fitness equipment also can leak sensitive data or pose as an initial-access pathway through an attack that compromises any of three key attack vectors, a researcher has found.

Researchers from Check Point Software took a deep dive into the popular Peloton Tread equipment and found that attackers can enter the system — which is essentially an Internet of Things (IoT) device — via the OS, applications, or by exploiting APIs to load various malware.

Hacking a Peloton Tread through any of these points could lead to the exposure not only of a user’s personal data, but attackers could also leverage the machine’s connectivity to move laterally to a corporate network to mount a ransomware or other type of high-level attacks, the researchers revealed in a blog post published this week.

“As fitness enthusiasts embrace the convenience and connectivity of these advanced workout machines, it becomes imperative to explore their potential vulnerabilities,” according to the post, attributed to Check Point’s Augusto Morales, technology lead for threat solutions; Shlomi Feldman, product management, Quantum IoT Protect & SD-WAN; and Mitch Muro, product marketing manager, Quantum IoT Protect & Quantum Spark.

The Peloton fitness brand is perhaps best known for its stationary bicycle and related application, which saw an explosive surge in popularity during the COVID-19 pandemic. The company also offers Peloton Tread, a companion treadmill device that operates on the Android OS, which was the focus of the researchers’ investigation.

Researchers had also identified a previous flaw in the Peloton system which could have allowed attackers to remotely spy on victims through an open unauthenticated API. Indeed, its mere existence as an IoT device exposes the home fitness gear to the same vulnerabilities that any Internet-exposed device faces, and the potential risks to users that go along with them.

Check Point alerted Peloton of the flaws the researchers discovered. The company assessed them and ultimately determined that physical access to the device was required for exploitation, Peloton said in a…

Source…