Software security company McAfee said the flaw in the stationary bike stemmed from the Android attachment that accompanies it. Researchers said attackers could access the bike through the port and install phony versions of popular apps like Netflix and Spotify. The fake apps could then be used to dupe users into entering their personal information.
"The flaw was that Peloton actually failed to validate that the operating system loaded," said Steve Povolny, head of the threat research team. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.
"Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information," Povolny said.
Peloton reportedly patched the issue on June 4, and researchers said there aren’t currently any indications that the flaw has been exploited. Prior to being fixed, the report said the flaw might have left users vulnerable to being watched.
“An unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report stated.
Previous dangerous flaw
This isn’t the first time Peloton has confirmed a flaw. Last month, the company recalled all of its Tread+ and Tread treadmills over safety concerns after 70 consumers were injured and a child died after being sucked under the belt. Officials addressed the issue by updating the products’ software to require users to enter a code to restart the belt if it has been left unmoving for up to 45 seconds.
Peloton confirmed that the flaw researchers recently found on the Bike+ was also found on the recalled Peloton Tread. On its security and compliance page, the company warns that “no matter how much effort we put into system security, there can still be vulnerabilities present.”