Peloton Bike+ now under heat as hackers were able to bypass the company's boot verification process. After the news that Peloton's API exposed its private user account data, a warning from McAfee's Advanced Threat Research team announced that the Bike+ also included a potentially dangerous flaw which could be exploited by hackers to gain invisible and remote control of the bikes.
McAfee Points Out Peloton System Flaw
According to Gizmodo, McAfee notes that its researchers started to poke around Peloton's system once the whole workout-at-home trend started to take off due to the pandemic. During the process, they were able to find out that the Bike+ software wasn't really verifying whether the device's official bootloader was unlocked or not.
This enabled the researchers to gain access and upload a custom image that wasn't even meant for the Peloton hardware. After they were able to download an official Peloton update package, the researchers were then easily able to modify Peloton's actual boot image and simply gain root access directly towards the bike's software.
Android Verified Boot Process
The official Android verified Boot process still wasn't capable of detecting that the image had in fact been tampered with. To make things simpler, the hacker basically used a USB key for them to upload a fake boot image file which granted them access directly to a bike remotely even without the official user knowing about it.
The hacker can then simply install and even run programs, modify the bike's files, be able to harvest critical login credentials, intercept encrypted internet traffic, or even spy on users through the bike's microphone and camera. The vulnerability might not really sound like something serious for homeowners, however, since it does require physical access to the Bike+.
Peloton Drops $420 Million to Buy Precor
McAfee, however, notes that a bad actor could still load the malware at any point during its construction, say at a warehouse or even during its delivery process. Peloton bikes are generally very popular especially when it comes to gym fixtures and fitness centers in say apartment buildings or hotels.
Peloton dropped $420 million for the acquisition of Precor back in December. A massive reason behind this is that Precor actually had an extensive commercial network which would include hotels, colleges, corporate campuses, and even apartment complexes.
Security Risk for Users
Peloton officially patched the concerning issue back on June 4, 2021 during the whole disclosure window. As of the moment, there are no indications that the vulnerability has really been exploited out in the wild. The company also gives confirmation that the flaw was seen nested on the Peloton Thread, which was previously recalled on May 2021 alongside the Peloton Thread+.
Despite being a general workout equipment, due to users having to digitally expose their data, this could prove dangerous if leaked. Once hackers gain access to a Peloton Bike+, they will be able to manipulate, download, or upload new data.
This article is owned by Tech Times
Written by Urian B.