The Advanced Threat Research Team at McAfee reported a vulnerability in the Peloton bike+ that would allow attackers to install malware through a USB port to potentially spy on riders.
McAfee stated that an attacker could access the bike and install fake versions of popular apps like Netflix and Spotify fooling the users into entering their personal information. The attacker would need physical access to the bike to do this, so shared fitness facilities such as gyms or hotels would be more vulnerable to this attack.
Steve Povolny, head of threat research stated, “The flaw was that Peloton actually failed to validate that the operating system loaded. And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.” “Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information,”
McAfee alerted Peloton to the vulnerability and has released a statement saying, “McAfee reported a vulnerability to us that required direct, physical access to a Peloton Bike+ or Tread to exploit the issue,” the exercise equipment company said in a statement. “Peloton also pushed a mandatory update to affected devices last week that addressed this vulnerability.”