Hacking Danger: Peloton users warned of new security threat relating to bike’s touchscreen

Peloton users are being warned of a new security threat relating to the touchscreen on their Bike+ that could potentially be controlled by hackers.

In a report released Wednesday, cybersecurity company McAfee discovered a vulnerability that allows hackers to access Peloton’s bike screen and potentially spy on riders using its microphone and camera. However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code.

According to McAfee’s Advanced Threat Research team, a hacker can discreetly control the stationary bike’s screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users’ log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users.

“As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing.

Internet-connected devices, whether they are bikes, computers or even refrigerators, are all susceptible to hacks. Cyberattacks have increasingly caught the public’s attention, with high-profile companies including McDonald’s, Microsoft and Electronic Arts publicly revealing recent security breaches.

McAfee said it pored over Peloton’s software with a “critical eye” to find vulnerabilities and warn users. The two companies worked together to “responsibly develop and issue a patch.”

Peloton released a mandatory software update that fixes the issue to users earlier this month. The security risk doesn’t affect the lower-priced Peloton Bike because it uses a different type of touchscreen.

This is an important reminder for users of all connected devices to activate automatic software updates to keep them protected against the latest attacks, according to…


Peloton security vulnerability could leave users open to hackers, researchers say

“When your operating system on your computer boots up, it should be checking that that’s the operating system that it expects,” he said in an interview. “In this case, the Android operating system here used by Peloton on their Bike+ is really just failing that expected check.”

Without that check, Povolny said, the McAfee researchers could load their own customized operating system, giving them full control over every aspect of the $2,495 Bike+ from any remote setting.

“That’s where we talked about harvesting credentials, we talked about accessing the camera on the microphone and really anything that you can do on this operating system for the bike, that’s what they could do now, remotely,” he said.

This vulnerability was also present on Peloton Tread exercise equipment, McAfee confirmed.

The hacked Peloton equipment showed no signs of tampering, either or users or to engineers, Povolny said.

Importantly, McAfee found no evidence that the security flaw, which has been patched, had been exploited by hackers, he added.

The most likely scenario for such a hack, Povolny said, would be in a location like a gym or hotel, where there is open access to the bikes. Another possibility, he noted, would be somebody tampering with devices en masse in the supply chain, to then be sent out like “Trojan horses” into people’s homes or other settings.

“Supply chain stuff has really proliferated over the last couple of years, and that’s one of the reasons we felt it was really important to work with Peloton to get this one patched,” he said.

McAfee, which has also done research on the security of Tesla electric vehicles and medical devices, reported the security concern to Peloton through their Coordinated Vulnerability Disclosure program on March 2. McAfee operates under responsible disclosure, meaning they alert a vendor to a security issue and then offer them 90 days to respond before disclosing it publicly.

After working with McAfee for three months, Peloton pushed out a mandatory update to all of its machines to remedy the issue in June, effectively locking users out of the machine until they completed the update.


Sorry iPhone Users — WhatsApp’s Stunning New Update Is Not For You

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

So, this is nasty new surprise for millions of iPhone users. It seems that WhatsApp has fixed the most alarming security issue plaguing its 2 billion users. But not for you—this absolutely critical new fix is Android only. Your serious problem is not going away.

The issue is the account hijacks that continue to plague users worldwide. The fact this has not yet been addressed is stunning, given the scale of the issue and the publicity it has generated. But finally, it seems there is some relief. At least for Android users.

Some of these account hijacks are stupidly simple—tricking users into WhatsApp’s forwarding six-digit SMS verification codes that are then used by attackers to transfer your WhatsApp to their own phones. They then message your contacts, pretending to be you, usually requesting money. Other attacks are more complex, such as the “account suspension hack” we warned you about in April, where anyone can block your WhatsApp account by repeatedly entering incorrect codes against your number.

The first of these issues can be prevented by setting up 2FA inside WhatsApp—Settings / Account / Two-Step Verification. This is different to the code WhatsApp sends by SMS, and it prevents any trickster from stealing your account. The second can’t be prevented unless/until WhatsApp stops automating account suspensions without checking that the request comes from an account holder.

What’s always been most annoying about this problem is that it seems so ridiculous. There is a phone number associated with your WhatsApp account, a text is sent to that number to verify a new install, but the app cannot check that the phone on which it is being installed is the one associated with that same number. Cue the hijacks.

There are clearly privacy issues with WhatsApp pulling identifying data from the device—except that it does plenty of that anyway. This isn’t Signal we’re talking about. But even the suspension attack is so basic as to be laughable. It would not be difficult to find ways to prevent what is essentially a brute force attack on your account from a third-party device in a different location.



Mobile app developers potentially expose personal data of 100 million Android users

After examining 23 Android applications, Check Point Research noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. 

Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.

CPR discovered publicly available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million.

It found push notification and cloud storage keys embedded in a number of Android applications themselves. 

Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, CPR says developers often overlook the security aspect of these services, their configuration, and their content.

CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk, it says.

Misconfiguring Real-Time Databases

Real-time databases allow application developers to store data on the cloud, making sure it is synchronised in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. 

However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?

“This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users,” CPR says. 

“All CPR researchers had to do was attempt to access…