17 June 21, 14:13
Quote:The popular Peloton Bike+ and Peloton Tread exercise equipment contain a security vulnerability that could expose gym users to a wide variety of cyberattacks, from credential theft to surreptitious video recordings.
According to research from McAfee’s Advanced Threat Research (ATR) team, the bug (no CVE available) would allow a hacker to gain remote root access to the Peloton’s “tablet.” The tablet is the touch screen installed on the devices to deliver interactive and streaming content, such as the motivational workout coaching that will be familiar to anyone watching TV commercials during the pandemic.
From there, a diligent hacker could install malware, intercept traffic and user’s personal data, and even control the Bike+ or Tread camera and microphone over the internet.
Some of the attack scenarios include adding malicious apps disguised as Netflix and Spotify designed to harvest login credentials for them to harvest for other cyberattacks. Or, someone could record people’s workouts for personal use, or to be put up for sale on the darker corners of the internet.
Nuisance attacks are possible too, like replacing content with attacker-controlled videos, or even bricking the tablets entirely. And, attackers could decrypt the bike’s encrypted communications with the various cloud services and databases it accesses, potentially intercepting all kinds of sensitive business and customer information.
There’s a catch though: An attacker would need either physical access to the workout machines or access during any point in the supply chain (from construction to delivery), McAfee noted – which means that gyms are the likeliest place for real-world exploitation.
Read more: Peloton Bike+ Bug Gives Hackers Complete Control | Threatpost