Researchers find security flaw in Peloton Bike+ that allows hackers to spy on riders

Photo (c) Thomas Barwick - Getty Images

Bikes set up in public spaces could be used to steal personal information

Researchers have found that the Peloton Bike+ had a flaw that rendered it vulnerable to being remotely hacked. The product isn’t yet commercially available, but researchers said the flaw would enable hackers to spy on riders -- and even their surroundings -- in public spaces such as a hotel or a gym. 

Software security company McAfee said the flaw in the stationary bike stemmed from the Android attachment that accompanies it. Researchers said attackers could access the bike through the port and install phony versions of popular apps like Netflix and Spotify. The fake apps could then be used to dupe users into entering their personal information. 

"The flaw was that Peloton actually failed to validate that the operating system loaded," said Steve Povolny, head of the threat research team. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.

"Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information," Povolny said.

Peloton reportedly patched the issue on June 4, and researchers said there aren’t currently any indications that the flaw has been exploited. Prior to being fixed, the report said the flaw might have left users vulnerable to being watched.

“An unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report stated.

Previous dangerous flaw

This isn’t the first time Peloton has confirmed a flaw. Last month, the company recalled all of its Tread+ and Tread treadmills over safety concerns after 70 consumers were injured and a child died after being sucked under the belt. Officials addressed the issue by updating the products’ software to require users to enter a code to restart the belt if it has been left unmoving for up to 45 seconds.

Peloton confirmed that the flaw researchers recently found on the Bike+ was also found on the recalled Peloton Tread. On its security and compliance page, the company warns that “no matter how much effort we put into system security, there can still be vulnerabilities present.”

Take an Identity Theft Quiz. Get matched with an Authorized Partner.