Published: October 11, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
There’s a new reason to sweat over your Peloton bike, treadmill or other equipment. Researchers from McAfee have discovered that hackers who are able to get direct access to those sweat-inducing machines can take control over that camera you look into while you're pedaling as well as the microphone, so they can hear you grunt along with the music. They can even monitor you. They can mess with apps such as Netflix, fiddle with your playlists stored in Spotify, and if they can convince you, they can get credentials you enter for these services and others.
How do they do that? Well, that Peloton is conveniently equipped with a tablet that runs on Android. While this may be cutting-edge for exercise equipment, it is not problem-free. This means, if that operating system can be changed (and as we know, Androids can be), so can your Peloton.
Some positive spin on this is that Peloton did push a mandatory update in June to address this. However, that doesn’t mean other products weren’t put in exercisers’ home with the flaw still in existence. According to the McAfee report, if the attacker got access to the machines, the exploits could take place at any point in the supply chain. Yep, another supply-chain attack from the point of construction to the delivery into your workout room.
What can you do? Well, first, don’t hack the operating system. There are some security features in place that prevent attackers from getting access to the tablet and apps on it, unless you crack it and change the implemented security settings. Most users won’t have a desire to do this, or even know how. In fact, if you do change these settings, you will likely void any warranty and therefore give up your cries for help, should the machine fail in any way at some point.
Also remember to update the machines any time you are prompted to do so.
Unfortunately, this isn’t the first time Peloton came under fire. Earlier this year, there were reports that hackers were able to snoop on users to collect gender, location, workout stats, and ages. They, so far, have not been able to determine how much all those clothes stacked on top of the machines weigh.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com