Tag Archive for: Peloton

Peloton Bugs Expose Enterprise Networks to IoT Attacks

/in


People could potentially lose more than just pounds by using a Peloton treadmill, as the Internet-connected fitness equipment also can leak sensitive data or pose as an initial-access pathway through an attack that compromises any of three key attack vectors, a researcher has found.

Researchers from Check Point Software took a deep dive into the popular Peloton Tread equipment and found that attackers can enter the system — which is essentially an Internet of Things (IoT) device — via the OS, applications, or by exploiting APIs to load various malware.

Hacking a Peloton Tread through any of these points could lead to the exposure not only of a user’s personal data, but attackers could also leverage the machine’s connectivity to move laterally to a corporate network to mount a ransomware or other type of high-level attacks, the researchers revealed in a blog post published this week.

“As fitness enthusiasts embrace the convenience and connectivity of these advanced workout machines, it becomes imperative to explore their potential vulnerabilities,” according to the post, attributed to Check Point’s Augusto Morales, technology lead for threat solutions; Shlomi Feldman, product management, Quantum IoT Protect & SD-WAN; and Mitch Muro, product marketing manager, Quantum IoT Protect & Quantum Spark.

The Peloton fitness brand is perhaps best known for its stationary bicycle and related application, which saw an explosive surge in popularity during the COVID-19 pandemic. The company also offers Peloton Tread, a companion treadmill device that operates on the Android OS, which was the focus of the researchers’ investigation.

Researchers had also identified a previous flaw in the Peloton system which could have allowed attackers to remotely spy on victims through an open unauthenticated API. Indeed, its mere existence as an IoT device exposes the home fitness gear to the same vulnerabilities that any Internet-exposed device faces, and the potential risks to users that go along with them.

Check Point alerted Peloton of the flaws the researchers discovered. The company assessed them and ultimately determined that physical access to the device was required for exploitation, Peloton said in a…

Source…

Hacking Danger: Peloton users warned of new security threat relating to bike’s touchscreen

/in


Peloton users are being warned of a new security threat relating to the touchscreen on their Bike+ that could potentially be controlled by hackers.

In a report released Wednesday, cybersecurity company McAfee discovered a vulnerability that allows hackers to access Peloton’s bike screen and potentially spy on riders using its microphone and camera. However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code.

According to McAfee’s Advanced Threat Research team, a hacker can discreetly control the stationary bike’s screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users’ log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users.

“As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing.

Internet-connected devices, whether they are bikes, computers or even refrigerators, are all susceptible to hacks. Cyberattacks have increasingly caught the public’s attention, with high-profile companies including McDonald’s, Microsoft and Electronic Arts publicly revealing recent security breaches.

McAfee said it pored over Peloton’s software with a “critical eye” to find vulnerabilities and warn users. The two companies worked together to “responsibly develop and issue a patch.”

Peloton released a mandatory software update that fixes the issue to users earlier this month. The security risk doesn’t affect the lower-priced Peloton Bike because it uses a different type of touchscreen.

This is an important reminder for users of all connected devices to activate automatic software updates to keep them protected against the latest attacks, according to…

Source…

Peloton security vulnerability could leave users open to hackers, researchers say

/in


“When your operating system on your computer boots up, it should be checking that that’s the operating system that it expects,” he said in an interview. “In this case, the Android operating system here used by Peloton on their Bike+ is really just failing that expected check.”

Without that check, Povolny said, the McAfee researchers could load their own customized operating system, giving them full control over every aspect of the $2,495 Bike+ from any remote setting.

“That’s where we talked about harvesting credentials, we talked about accessing the camera on the microphone and really anything that you can do on this operating system for the bike, that’s what they could do now, remotely,” he said.

This vulnerability was also present on Peloton Tread exercise equipment, McAfee confirmed.

The hacked Peloton equipment showed no signs of tampering, either or users or to engineers, Povolny said.

Importantly, McAfee found no evidence that the security flaw, which has been patched, had been exploited by hackers, he added.

The most likely scenario for such a hack, Povolny said, would be in a location like a gym or hotel, where there is open access to the bikes. Another possibility, he noted, would be somebody tampering with devices en masse in the supply chain, to then be sent out like “Trojan horses” into people’s homes or other settings.

“Supply chain stuff has really proliferated over the last couple of years, and that’s one of the reasons we felt it was really important to work with Peloton to get this one patched,” he said.

McAfee, which has also done research on the security of Tesla electric vehicles and medical devices, reported the security concern to Peloton through their Coordinated Vulnerability Disclosure program on March 2. McAfee operates under responsible disclosure, meaning they alert a vendor to a security issue and then offer them 90 days to respond before disclosing it publicly.

After working with McAfee for three months, Peloton pushed out a mandatory update to all of its machines to remedy the issue in June, effectively locking users out of the machine until they completed the update.

Source…

Should you be worried about someone hacking your Peloton?

/in


(WTNH) — The popularity of at-home exercise has exploded during this pandemic. Sales of Peloton spin bikes have skyrocketed, but could it open you up to someone eavesdropping or even spying on you? Let’s take a look to see if you should be sweating your privacy.

When President Joe Biden took the oath of office on Jan. 20, 2021, he, his wife, and his dogs were welcomed into the White House. But one of his possessions was not. The president rides a Peloton bike for exercise and because the bike is equipped with a big Android tablet complete with a camera and a microphone that connect to the internet, it was deemed a White House security risk.

But the risks don’t stop at 1600 Pennsylvania Avenue.

Dr. Ibrahim Baggili, a cybersecurity expert at the University of New Haven, says it is possible for hackers to access the camera and microphone on exercise equipment like a Peloton.

“We teach a whole class on how to do this at our university,” says Dr. Baggili.

But there are even bigger dangers, like hacking heart monitors to make you think you are having a heart problem or worse.

“If you are running on a treadmill and somebody is capable of stopping that treadmill while you are running really fast. Now you can physically harm an individual,” he says.

It is possible for these bikes to be hacked from the outside. But it turns out bike hacking is a two-way street. A growing number of home users are hacking their own bikes.

Videos on YouTube show home users how to hack their Peloton bikes. Some teach you how you can watch something else on that screen, including Netflix.

And that’s not all. Some people are hacking their bikes to make it look like they worked out harder than they really did and shoot to the top of the class.

But for a lot of Peloton lovers like school teacher Marlene Parker from Wolcott, fear of hackers won’t get in the way of a great workout.

“I’m not afraid.  I don’t think anyone is listening,” Marlene Parker said. “And the most that they would be listening to is like ‘what’s for dinner?’ or homework assignments with my kids.”

We reached out to Peloton, and they said their products have strong…

Source…