Skip to main content

This Peloton bike model had a major security problem

Peloton bike
(Image credit: Peloton)

Users of the popular Peloton indoor fitness kit have been urged to check and update their systems following the disclosure of a worrying security flaw in one of the company's most popular bike models. 

Researchers at McAfee discovered that the Peloton Bike Plus model contained a vulnerability, now fixed, that could have allowed hackers to gain complete control over the device.

This includes gaining control over the Peloton Bike Plus' video camera and microphone, potentially putting users at risk of having private information stolen.

Standard Android

Peloton, which also offered treadmills until recently alongside its eponymous bikes, saw a huge surge in business following the initial global lockdowns last year, making it a potentially lucrative target for hackers.

McAfee noted that despite the high price tags for the company's products (with the Peloton Bike Plus starting at $2,495/£2,295) the connectivity and interactivity aspect of the bike is, "a standard Android tablet".

Having examined the device, McAfee revealed a security flaw within the Android ecosystem powering this tablet. The team found that the Peloton Bike+ system was not verifying that the device’s bootloader was unlocked before attempting to boot a custom image - which could allow hackers to load new programs on a user’s bike without their knowing.

Peloton

(Image credit: Peloton)

McAfee says this meant that a hacker could insert a USB key with a boot image file containing malicious code that grants them remote root access to a bike, meaning they could install and run any programs, modify files, or set up remote backdoor access over the internet.

This could have included installing malicious apps disguised as Netflix and Spotify to the bike in the hopes that unsuspecting users would enter their login credentials or other personal information. 

Obtaining such levels of access also meant hackers could have enabled the bike’s camera and microphone to spy on the device and whoever is using it - and also decrypt its encrypted communications with the various cloud services and databases it accesses in order to intercept all kinds of sensitive information. 

McAfee says it disclosed the flaw to Peloton once it was discovered, with a patch developed and rolled out earlier this month. Peloton users are encouraged to update their device as soon as possible, and ensure they stay watchful when using any internet-connected product.

Mike Moore

Mike Moore is News & Features Editor across both TechRadar Pro and ITProPortal. He has worked as a technology journalist for more than five years, including at one of the UK's leading national newspapers. He is interested in hearing about all the latest B2B and B2C news, analysis and opinions, including how companies are using new technology to help forward their work and make their customer's lives easier.