McAfee researchers have reported uncovering a vulnerability that "allows an attacker with either physical access to the Bike+ or access during any point in the supply chain to gain remote access to the bike’s tablet, including the camera, microphone and personal data, without any indication of the Bike+ being tampered with."
The company says this puts "Peloton’s 16.7 million users at risk of a potential cyberattack."
The full research can be read about in McAfee's blog post titled: "A new program for your Peloton - whether you like it or not."
So, what are the key findings - and should you be worried?
McAfee explains its key findings are:
- Researchers uncovered a flaw in the Android Verified Boot (AVB) process that left the Peloton vulnerable.
- Researchers were able to bypass the Android Verified Boot process, which, if done by a cyber attacker, can lead to the Android OS being compromised with physical access.
- With this vulnerability, a worst-case scenario would involve a malicious agent booting the Peloton with a modified image to gain elevated privileges and then leveraging those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely.
- Researchers found that since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device. This sort of attack could be effectively delivered via the supply chain process.
- A malicious actor could tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet without any way the end user could know.
It's definitely worth reading McAfee's blog post in full, with a video showing the vulnerability in action, but it's also important to note the conclusion of McAfee's blog post, which is as follows:
"Given the simplicity and criticality of the flaw, we decided to disclose to Peloton even as we continue to audit the device for remote vulnerabilities. We sent our vendor disclosure with full details on March 2, 2021 – shortly after, Peloton confirmed the issue and subsequently released a fix for it in software version “PTX14A-290”.
"The patched image no longer allows for the “boot” command to work on a user build, mitigating this vulnerability entirely. The Peloton vulnerability disclosure process was smooth, and the team were receptive and responsive with all communications. Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+."
McAfee's blog post quoted Peloton’s Head of Global Information Security, Adrian Stone, who shared the following statement: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread.
"Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”
So, it's good to see both McAfee researching the vulnerabilities of the connected technologies we now take for granted, and it's good to see Peloton acted quickly to fix the issue - and no doubt they're internally even more motivated to make sure they stay ahead of the hackers - and the security researchers - as much as possible.
Here's the video McAfee shared, and there's plenty more detail in the blog post.