“When your operating system on your computer boots up, it should be checking that that’s the operating system that it expects,” he said in an interview. “In this case, the Android operating system here used by Peloton on their Bike+ is really just failing that expected check.”
Without that check, Povolny said, the McAfee researchers could load their own customized operating system, giving them full control over every aspect of the $2,495 Bike+ from any remote setting.
“That’s where we talked about harvesting credentials, we talked about accessing the camera on the microphone and really anything that you can do on this operating system for the bike, that’s what they could do now, remotely,” he said.
This vulnerability was also present on Peloton Tread exercise equipment, McAfee confirmed.
The hacked Peloton equipment showed no signs of tampering, either or users or to engineers, Povolny said.
Importantly, McAfee found no evidence that the security flaw, which has been patched, had been exploited by hackers, he added.
The most likely scenario for such a hack, Povolny said, would be in a location like a gym or hotel, where there is open access to the bikes. Another possibility, he noted, would be somebody tampering with devices en masse in the supply chain, to then be sent out like “Trojan horses” into people’s homes or other settings.
“Supply chain stuff has really proliferated over the last couple of years, and that’s one of the reasons we felt it was really important to work with Peloton to get this one patched,” he said.
McAfee, which has also done research on the security of Tesla electric vehicles and medical devices, reported the security concern to Peloton through their Coordinated Vulnerability Disclosure program on March 2. McAfee operates under responsible disclosure, meaning they alert a vendor to a security issue and then offer them 90 days to respond before disclosing it publicly.
After working with McAfee for three months, Peloton pushed out a mandatory update to all of its machines to remedy the issue in June, effectively locking users out of the machine until they completed the update.