After Peloton riders’ private data was exposed by a software bug earlier this year, researchers have found some of the tech company’s products are vulnerable to malware, letting hackers spy on unsuspecting riders.
Cybersecurity firm McAfee said cybercriminals could trick Bike+ users into logging into nefarious apps disguised to look like Netflix or Spotify with their credentials, and spy on them through their webcams.
It can be done by inserting a USB key at any time (in the gym, somewhere in the supply chain) with a boot file image containing the dangerous code and allowing criminals remote access to the Bike+, Peloton’s $2,495 bike.
‘They can enable the bike’s camera and microphone to spy on the device and whoever is using it,’ McAfee wrote in the report.
‘To make matters worse, they can also decrypt the bike’s encrypted communications with the various cloud services and databases it accesses, potentially intercepting all kinds of sensitive information.’
‘As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched.’
Some Peloton products, including the popular Bike+, are vulnerable to malware
Cybercriminals could trick riders into installing apps that are disguised as Netflix or Spotify and spy on them through their webcams. Hackers can insert a USB key with a boot file image containing the code
In addition, the vulnerability is also present on Peloton Tread, McAfee added.
Shares of Peloton were higher in early Thursday trading, up 2.1 percent to $107.17.
McAfee said it has spoken to Peloton and disclosed the vulnerability and the two companies worked together ‘to responsibly develop and issue a patch.’
The fix was tested and confirmed effective on June 4.
The company acknowledged the security lapse in a blog post, thanking the McAfee team for reporting the issue.
‘This kind of collaboration is essential and is part of a healthy security ecosystem between vendors and the research community,’ Adrian Stone, VP, Head of Global Information Security, wrote in the post.
‘We look forward to future opportunities to collaborate like this to ensure that your experience with Peloton continues to be safe and secure.’
In an email to DailyMail.com, a Peloton spokesperson said the issue was fixed ‘within the standard disclosure timeframe and every device with the update installed is protected from this issue.’
The spokesperson added both Peloton Bike+ and Treads are not available for commercial use and the vulnerability ‘would require direct, physical access to a Peloton Bike+ or Tread to exploit the issue.’
McAfee said it spoke to Peloton and the two companies issue a patch on June 4
This is not the first time Peloton’s fitness products have come under scrutiny for security and safety risks.
In January, President Joe Biden had issues bringing his Peloton bike into the White House for fears of security concerns due to its internet connectivity, built-in microphone and camera.
The 78-year-old Biden previously said he uses the Peloton bike as part of his morning workout routine in the gym upstairs in his home, adding the daily workouts in the morning ‘sort of gets me going’.
In May, Peloton recalled 125,000 of its Tread+ and around 1,050 Tread treadmills on Wednesday after one child died and another 29 suffered from cuts, broken bones and other injuries.
Initially, Peloton said the April warning from the U.S. Consumer Product Safety Commission for people with children and pets to immediately stop using the Tread+ was ‘inaccurate and misleading,’ but the company eventually acquiesced and issued an apology.
‘The decision to recall both products was the right thing to do for Peloton’s Members and their families,’ Peloton CEO John Foley said early last month.
He admitted Peloton ‘made a mistake in our initial response to the Consumer Product Safety Commission’s request’ adding: ‘We should have engaged more productively with them from the outset. For that, I apologize.
‘We believe strongly in the future of at-home connected fitness and are committed to work with the CPSC to set new industry safety standards for treadmills. We have a desire and a responsibility to be an industry leader in product safety.’
In April, U.S. Consumer Product Safety Commission warned people with children and pets to immediately stop using the Tread+ made by Peloton.
The CPSC has received 22,500 reports of injuries from many different kinds of treadmills since 2019, but reports from the Tread+ were especially troubling, according to officials.
The U.S. Consumer Product Safety Commission said Wednesday that Peloton received 72 reports of adults, children pets or other items, such as exercise balls, being pulled under the treadmills.
In October 2020, Peloton previously issued a voluntary recall on pedals for 27,000 bikes after consumers reported pedals breaking off and causing more than a dozen injuries, including some requiring stitches.
Despite the incidents involving problems with equipment swirling around Peloton, the company continues to post record profits.
Peloton has posted $1 billion in sales for its second quarter fiscal results of 2021 and increased its sales outlook for the year to $4 billion as gym enthusiasts turned to the at-home fitness equipment maker due to the pandemic.
The company announced its second quarter fiscal 2021 financial results recording quarterly sales growth of 128 percent.
THE RISE AND FALL OF PELOTON
Home workout company Peloton was founded in 2012 by CEO John Foley with his friends and co-founders Graham Stanton, Hisao Kushi, Tom Cortese, and Yony Feng.
The company’s stationary bike – which retails from $1,895 – has become wildly popular amid the coronavirus pandemic, as gym closures have forced many Americans to start working out at home.
Foley, pictured with his wife Jill and their children Quinn and Mae, became a newly minted billionaire this year as demand for Peloton products spiked during the COVID-19 lockdowns
Foley had lived in a penthouse in this West Village building which he attempted to sell for $7.5million in 2013 after he and his wife spent more than a million renovating
Foley, who was born in Florida, began his career as an engineer in 1990 for Mars Inc. in 1990. According to the New York Times profile, he had previously put himself through college working nights at a Skittles factory.
The Harvard Business School graduate later helped to build CitySearch.com before becoming CEO of Evite.com, Co-founder and CEO of Pronto.com, and President of ecommerce at Barnesandnoble.com, where he helped launch the Nook e-reader.
He left Barnes & Noble in 2012 to start up Peloton on New York City after family life left it difficult for him to enjoy the boutique fitness classes he loved and he decided to find a way to bring them into the home.
According to Bloomberg, he initially posted a video to Kickstarter in 2013 which raised him $307,000 to get the company off the ground.
In the beginning, Foley also personally pushed the bikes, spending Sundays in Short Hills Mall in New Jersey trying to sell them, according to the Times.
He told Master of Scale in August that he spent the first three years pitching the company to thousands of investors, but nobody was interested.
‘No investors wanted to look at this thing. They wanted nothing to do with it,’ he said.
‘They couldn’t understand how we’d possibly be able to build the bikes, deliver them, produce the tablet software and then create the content, all by ourselves,’ he also told the Wall Street Journal in 2018.
Foley, pictured, with his wife Jill, came up with the idea for Peloton after the couple struggled to get to boutique classes after having children. They are pictured with their son Quinn who is now 12
Yet having sold its first bike in 2013, Peloton now has more than 2.6 million members and 3,500 employees worldwide.
And once the pandemic hit and demand skyrocketed, Foley found himself a newly minted billionaire by September.
Bloomberg estimated then that he was worth $1.2 billion, his wealth having tripled this year. He owns 8 percent of stock in the company.
The former engineer now lives in the West Village with his wife Jill, 42, their son Quinn, 12, and daughter Mae, 9.
They had previously listed a home in the area for $7.5million, according to Curbed.
Jill, who is the company’s vice president of apparel, said the idea for the company had come up because she and her husband were ‘addicted to fitness’.
‘Our first dates were centered around fitness—running, indoor cycling, surfing, yoga, boot camps, etc.,’ she told Heymama.
‘We loved the way we felt after a high-energy, instructor-led interval training class.’
However, once they started having kids, their lifestyles and jobs became more demanding.
‘We found it hard to get to these classes and we actually would get in arguments about whose turn it was to work out!
‘So, one day, John came home and said, ‘I have a great idea!’ What if you could get a high-energy, instructor-led interval training class in your own home!? Working out at home was traditionally so boring and not very effective’, she said.
John Foley is pictured with his wife Jill who is the company’s vice president of apparel
In December last year it was announced that Peloton was joining the Nasdaq 100 index and its stocks enjoyed a boost from the inclusion on Monday.
The company’s sales had grown by 172 percent that year as its stationary bike became wildly popular when coronavirus-related gym closures forced many Americans to start working out at home.
The company halted their own lives classes for a while in April after an employee in the New York City studio contracted COVID-19 and members urged for them to be shut down to keep the instructors safe.
This year’s meteoric rise came just months after the company lost $942million market value in a single day after its 2019 holiday advertisement sparked fierce social media backlash.
The exercise equipment company was vilified over the commercial titled ‘The Gift That Gives Back’, which shows a woman receiving a stationary bike from her husband on Christmas morning.
She then documents her year-long fitness journey in a series of selfie clips that she compiles into a thank you video for her husband.
The 2019 holiday commercial was slammed by viewers on social media
Viewers trashed the ad on social media, calling it sexist, misogynistic, humiliating and cringeworthy.
Before this, Peloton shares had risen steadily through November 2019 in anticipation of a strong holiday season. The company had gained almost 10 percent just the week before after strong Black Friday sales.
The company’s stock fell 9.12 percent just two days after the commercial’s debut and dropped the market cap to around $9.4billion.
Shares would continue to fall in early December after Citron RESEARCH, an online stock commentary website, claimed in a report that the firm is worth $1billion rather than the $8.8billion they claimed.
The report found that Peloton’s true stock price should be just $5 per share by 2020, a dramatic drop of 85 per cent, and it could be worth as little as $1bn.
It based the downgrade on the fact that other manufacturers produce smart exercise bikes for just $500 and that existing bikes can be converted into Pelotons with a $12 attachment and the use of the firm’s app.
Peloton’s sales had grown by 172 percent in 2020 as its stationary bike became wildly popular due to coronavirus-related gym closures
The report also criticized the firm for charging customers who buy their exercise bike $39 dollars a month to access online classes – and only charging $12.99 for their app for people who don’t own a Peloton.
And it called into question the reliability of CEO Foley who it said wrongly claimed the firm is profitable.
In February 2020, before the pandemic hit, shares plunged as much as 12 percent further and Peloton reported a loss of 20 cents per share.
It came as the company was embroiled in a lawsuit with Flywheel Sports over patent infringements.
Peloton accused Flywheel Sports of infringing two patents, as well as copying their streaming service on bikes, right down to metrics model and display.
Ultimately, Flywheel sports was forced to stop offering its At Home service and gave customers one month to trade the $2,000 bikes for Peloton models.
After these losses, Peloton has since regained ground and continues to climb, yet this year has not been without its own setbacks.
The company’s most famous product is a $1,895 stationary bike that has become wildly popular amid the coronavirus pandemic, as gym closures continued
It was also hit with a patent infringement lawsuit from a company credited with sparking the world’s indoor cycling craze over a quarter of a century ago.
Mad Dogg Athletics (MDA), which brands itself as ‘the creator of the Spinning and indoor cycling category’, filed the lawsuit against Peloton in the US District Court for the Eastern District of Texas on Monday.
The suit alleged that Peloton infringed upon two of MDA’s patents that are ‘directed to core features of an exercise bike designed to bring the experience of an instructor-led class into the rider’s home’.
Peloton has reportedly brought in revenue upwards of $1.8billion in 2020, and the company’s daily stock price climbed above $100 in September.
The soaring demand during the holiday season has caused headaches for the company, however, as customers complain of months-long delays in deliveries that have caused some to cancel their orders and defect to rival brands such as SoulCycle.
Last month Peloton told The Wall Street Journal that the delays ‘are primarily due to shipping logjams, particularly at ports as the bikes are transported to the US from manufacturers overseas’.
A spokeswoman stated: ‘The wait times right now are not how we want people to experience Peloton’.
Peloton bosses stated in a recent letter to shareholders that they were ‘doing everything we can to get our products to our prospective Members as quickly as possible’.
Then in May this year Peloton announced it is recalling all of its 126,000 Tread+ and Tread treadmills across the United States after they were linked to the death of a child and multiple injuries.
Safety regulators had already warned people with kids and pets to immediately stop using the $4,000 running machine.
The US Consumer Product Safety Commission (CPSC) issued a statement saying: ‘Consumers who have purchased either treadmill should immediately stop using it and contact Peloton for a full refund or other qualified remedy.’
<!—->
Advertisement
