Exercise equipment manufacturer Peloton recently fixed a software flaw in its Bike+ and Tread models. Attackers were then able to use the built-in camera and microphone to monitor Peloton users and install malware on the Peloton machines themselves. [In a blog post by McAfee's Advanced Threat Research team, which discovered this security flaw, "Unprotected gym users who use Peloton Bike+ are at risk of having their personal information compromised and their workouts unwittingly monitored," They warn that.

All affected Peloton units should have received a wireless security update earlier this month that fixes the flaw and moves the software to version PTX14A-290.

"If you have Bike+ or Tread, we recommend logging into your device's tablet. If you are not already using the latest software, you will need to update your software as soon as you log in."

To verify that the update has been applied to your Peloton Bike+ or Tread model, please follow the instructions listed on the Peloton support page Peloton Bike and Tread+ models are not affected.

A dialog box will pop up informing you that your device is up-to-date or that an update is available. If the latter, you will be prompted to begin the update process.

Bike and Tread+ models not affected by the defect discussed here can be updated in more or less the same way, except that in step 2 you tap "About Tablet" instead of "System."

Without going too deep, the McAfee hack is fairly simple and was discovered through trial and error. (The technical details are described in another post on McAfee's blog, if you are interested.)

The touchscreens of all Peloton models are Android tablets with a modified interface. McAfee found that Peloton has indeed taken the necessary security precautions and locked the tablet's bootloader so that the Android operating system cannot be tampered with.

Normally, this would mean the end of the line for an attacker. Nevertheless, McAfee researchers were able to partially boot the tablet to a different version of Android by connecting a USB-C drive loaded with a custom bootloader and pressing the power and volume up buttons simultaneously to access the Android tablet's recovery screen. Android could be booted into.

This method resulted in a black screen, but we found that the bootloader lock could be circumvented. McAfee researchers then found that they could obtain a previous firmware update for Peloton, extract the boot image, load it onto a USB drive, and boot the tablet from the USB drive.

From there, they were able to modify the Peloton boot image and add the "sudo" command.

With root access, users would have full control of the system, allowing them to install apps, change important settings, and modify the operating system itself.

McAfee researchers were able to install the modified boot image on the Bike+ unit, allowing for permanent remote access control of the machine. Here is a video of the end result.

While this is obviously quite serious, there are a few caveats. First of all, the attacker would need to be alone with the Peloton machine for several minutes in order to carry out this attack. It cannot happen in the air.

Second, McAfee proposed a scenario in which criminals could walk around an empty gym and randomly stick a USB-C drive into a Peloton machine and hack it. However, a Peloton spokesperson stated that the Peloton Bike+ and Tread, models that are susceptible to this flaw, "are not currently offered for commercial use."

That leaves open the possibility of a more private attack involving Peloton machines sold to consumers. For example, the husband in the Peloton TV ad that went viral during the 2019 holiday season could have used this flaw to spy on his wife, and vice versa. But also, either spouse could easily have spied on the other spouse in a dozen other ways.