Researchers found numerous vulnerabilities affecting Peloton Treadmill systems that allow malware attacks. An adversary may exploit the flaws to access sensitive device data, including users’ information.
Multiple Vulnerabilities Affected Peloton Treadmill Firmware
According to a recent blog post from Check Point Research, their researchers found numerous security issues with Peloton Treadmills.
Peloton is a popular brand producing a wide range of fitness and workout equipment, particularly boasting internet-connected features. The smart technology empowers the users to demonstrate effective workout sessions with live training videos.
Explaining the issues, the researchers specified that they found multiple security vulnerabilities in the Peloton Treadmill firmware.
Precisely, they first noticed that the treadmills run on Android 10 – a much older version with numerous potential vulnerabilities. Next, the equipment allows an adversary to enable USB debugging and access the shell.
Accessing the shell empowers an attacker to scan installed apps for vulnerabilities, exploiting which could help steal data. Hence, the researchers do not recommend enabling USB debugging.
Moreover, the researchers also found hardcoded sensitive data on the device firmware, including the license key. Accessing these details lets an attacker perform DoS attacks on the target equipment.
Another severe issue CPR highlighted is the existence of unprotected services that allow third-party apps to gain elevated privileges. Again, an attacker may exploit the apps’ tokens to access personal data.
Similarly, attackers may exploit broadcast receivers, preventing device system updates and gaining infinite control over the treadmills.
Above all, an attacker may exploit the flaws in the standard APIs running on the treadmill systems to install malware. In turn, the attacker may perform various malicious activities on the equipment, including exploiting the integrated webcam and microphone to spy on the user.
Peloton To Patch the Flaws Soon
After discovering the vulnerabilities, Check Point Research responsibly disclosed the flaws to Peloton. In response, Peloton explained that exploiting the flaws require an attacker to have physical access to the treadmills. Nonetheless, they appreciated the researchers for highlighting the bugs. It remains unclear if the vendors plan to address these issues anytime soon.
On a side note, McAfee researchers also highlighted numerous security issues with Peloton Bike+ and Tread+ in 2021. At that time, Peloton deployed the patches with subsequent firmware release.
Let us know your thoughts in the comments.
