Peloton Bike+ Bug Found

Walden Systems Geeks Corner News Peloton Bike+ Bug Found Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Security vulnerability found in the popular Peloton Bike+ that could expose users to surreptitious recordings and credential theft. According to McAfee’s Advanced Threat Research team, the bug could allow a hacker to gain remote, root access to the Peloton’s touch screen installed on the devices. The touch screen delivers interactive content such as the motivational workout coaching Hackers could install malware to intercept traffic and personal data. Malware could also control the Bike+, Tread camera and microphone over the internet.

Attacks can include adding malicious apps disguised as Netflix and Spotify that are designed to steal login credentials. Hackers could record people’s workouts and put them up for sale on the internet. Hackers can also replace content with fake videos, or even brick the tablets entirely. Hackers could decrypt the bike’s encrypted communications with the cloud services and databases it accesses, which will give hackers access to sensitive business and customer information. In order to take advantage of the bug, a hacker would need either physical access to the workout machines or access during any point in the supply chain. Because of the need to have physical access, McAfee noted that gyms are the likeliest place for real-world exploitation.


A hacker could simply insert a USB key with a boot image file containing malicious code that grants them remote root access. The hacker doesn’t need to factory unlock the bike to load the modified image and there is no sign that it was tampered with. With the malicious code, the hacker can interfere with the Peloton’s operating system and have the ability to install and run any programs, modify files or set up remote backdoor access over the internet.

The issue exists because Bike+ and Tread systems don’t verify whether the bootloader was unlocked before booting a custom image. This means that hackers are allowed to load a file that isn’t meant for the Peloton hardware. To test the vulnerability, researchers downloaded an update package for Bike+ directly from Peloton which contained a modified code to give them elevated permissions. The Verified Boot process on the bike failed to identify the tampered boot image which allowed the operating system to start up normally with the modified file. To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no clues that the device had been compromised.

Peloton issued a patch in the latest version of its firmware. Owners should update the firmware as soon as possible. Since the COVID-19 pandemic drove more people to exercise inside their homes, Peloton users grew 22 percent between September and the end of December. According to Peloton in their shareholder letter, there are more than 4.4 million members on the platform. It’s not known if any supply-chain exploits have been introduced into the ecosystem, but home users should also update their firmware.

According to Adrian Stone, Peloton’s head of global information security, the vulnerability would require physical access to a Peloton Bike+ or Tread. According to Stone, Peloton quickly coordinated with McAfee and pushed an update in June. Once updated, the security vulnerability is no longer an issue.