A cybersecurity vulnerability in some Peloton bike products may have enabled hackers to install malware and potentially spy on riders, according to software security company McAfee.
Members of McAfee’s advanced threat research team said in a consumer blog post that the malware was able to be installed through a USB port from an Android attachment for the Peloton Bike+, through which hackers could install fake versions of apps like Netflix and Spotify to gather personal information from users.
“As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” McAfee said.
The security company added that Peloton’s stationary exercise bikes located in public gyms would have been more vulnerable to the cybersecurity attacks.
McAfee told The Hill in a statement that with the vulnerability “a worst-case scenario would involve a malicious agent booting the Peloton with a modified image to gain elevated privileges and then leveraging those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely.”
“Researchers found that since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device,” McAfee added. “This sort of attack could be effectively delivered via the supply chain process.”
“A malicious actor could tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet without any way the end user could know,” the statement said.
McAfee told NBC News that it had informed Peloton of the cybersecurity issue three months ago and that the exercise product company responded within a couple of weeks.
When reached for comment, Peloton told The Hill in a statement that it and McAfee had “worked together and privately to investigate the issue,” in accordance with the bike company’s “standard security process.”
“Peloton fixed the issue within the standard disclosure timeframe and every device with the update installed is protected from this issue,” the exercise product company said, adding that it “does not currently offer Peloton Bike+ or Tread for commercial use and the vulnerability McAfee reported would require direct, physical access to a Peloton Bike+ or Tread to exploit the issue.”
The issues come after cybersecurity group Pen Test Partners in May said that it had discovered vulnerabilities in Peloton bike software earlier in the year that allowed unauthenticated users to exploit Peloton’s API, the software that allows communication between the bikes and company servers.
A Peloton spokesperson told The Hill at the time that “the identification of vulnerabilities by itself does not constitute a breach.”
“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson said. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.”