Thursday, 17 June 2021 11:21

VIDEO: McAfee threat researchers uncover vulnerability in Peloton Bike+

By

McAfee's Enterprise Advanced Threat Research (ATR) team have released a vulnerability disclosure for the Peloton Bike+ to gain remote access to the bike's tablet, camera, microphone and personal data - how did they do it? 

McAfee researchers have reported uncovering a vulnerability that "allows an attacker with either physical access to the Bike+ or access during any point in the supply chain to gain remote access to the bike’s tablet, including the camera, microphone and personal data, without any indication of the Bike+ being tampered with."

The company says this puts "Peloton’s 16.7 million users at risk of a potential cyberattack."

The full research can be read about in McAfee's blog post titled: "A new program for your Peloton - whether you like it or not.

So, what are the key findings - and should you be worried?

McAfee explains its key findings are:

  • Researchers uncovered a flaw in the Android Verified Boot (AVB) process that left the Peloton vulnerable.
  • Researchers were able to bypass the Android Verified Boot process, which, if done by a cyber attacker, can lead to the Android OS being compromised with physical access.
  • With this vulnerability, a worst-case scenario would involve a malicious agent booting the Peloton with a modified image to gain elevated privileges and then leveraging those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely.
  • Researchers found that since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device. This sort of attack could be effectively delivered via the supply chain process.
  • A malicious actor could tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet without any way the end user could know.

It's definitely worth reading McAfee's blog post in full, with a video showing the vulnerability in action, but it's also important to note the conclusion of McAfee's blog post, which is as follows:

"Given the simplicity and criticality of the flaw, we decided to disclose to Peloton even as we continue to audit the device for remote vulnerabilities. We sent our vendor disclosure with full details on March 2, 2021 – shortly after, Peloton confirmed the issue and subsequently released a fix for it in software version “PTX14A-290”.

"The patched image no longer allows for the “boot” command to work on a user build, mitigating this vulnerability entirely. The Peloton vulnerability disclosure process was smooth, and the team were receptive and responsive with all communications. Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+."

McAfee's blog post quoted Peloton’s Head of Global Information Security, Adrian Stone, who shared the following statement: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread.

"Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

So, it's good to see both McAfee researching the vulnerabilities of the connected technologies we now take for granted, and it's good to see Peloton acted quickly to fix the issue - and no doubt they're internally even more motivated to make sure they stay ahead of the hackers - and the security researchers - as much as possible.

Here's the video McAfee shared, and there's plenty more detail in the blog post.

 


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments