After Peloton riders’ private data was exposed by a software bug earlier this year, researchers have found some of the tech company’s products are vulnerable to malware, letting hackers spy on unsuspecting riders.
Cybersecurity firm McAfee said cybercriminals could trick Bike+ users into logging into nefarious apps disguised to look like Netflix or Spotify with their credentials, and spy on them through their webcams.
It can be done by inserting a USB key at any time (in the gym, somewhere in the supply chain) with a boot file image containing the dangerous code and allowing criminals remote access to the Bike+, Peloton’s $2,495 bike.
‘They can enable the bike’s camera and microphone to spy on the device and whoever is using it,’ McAfee wrote in the report.
‘To make matters worse, they can also decrypt the bike’s encrypted communications with the various cloud services and databases it accesses, potentially intercepting all kinds of sensitive information.’
‘As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched.’
Some Peloton products, including the popular Bike+, are vulnerable to malware
Cybercriminals could trick riders into installing apps that are disguised as Netflix or Spotify and spy on them through their webcams. Hackers can insert a USB key with a boot file image containing the code
In addition, the vulnerability is also present on Peloton Tread, McAfee added.
Shares of Peloton were higher in early Thursday trading, up 2.1 percent to $107.17.
McAfee said it has spoken to Peloton and disclosed the vulnerability and the two companies worked together ‘to responsibly develop and issue a patch.’
The fix was tested and confirmed effective on June 4.
The company acknowledged the security lapse in a blog post, thanking the McAfee team for reporting the issue.
‘This kind of collaboration is essential and is part of a healthy security ecosystem between vendors and the research community,’ Adrian Stone, VP, Head of Global Information Security, wrote in the post.
‘We look forward to future opportunities to collaborate like this to ensure that your experience with Peloton continues to be safe and secure.’
In an email to DailyMail.com, a Peloton spokesperson said the issue was fixed ‘within the standard disclosure timeframe and every device with the update installed is protected from this issue.’
The spokesperson added both Peloton Bike+ and Treads are not available for commercial use and the vulnerability ‘would require direct, physical access to a Peloton Bike+ or Tread to exploit the issue.’
McAfee said it spoke to Peloton and the two companies issue a patch on June 4
This is not the first time Peloton’s fitness products have come under scrutiny for security and safety risks.
In January, President Joe Biden had issues bringing his Peloton bike into the White House for fears of security concerns due to its internet connectivity, built-in microphone and camera.
The 78-year-old Biden previously said he uses the Peloton bike as part of his morning workout routine in the gym upstairs in his home, adding the daily workouts in the morning ‘sort of gets me going’.
In May, Peloton recalled 125,000 of its Tread+ and around 1,050 Tread treadmills on Wednesday after one child died and another 29 suffered from cuts, broken bones and other injuries.
Initially, Peloton said the April warning from the U.S. Consumer Product Safety Commission for people with children and pets to immediately stop using the Tread+ was ‘inaccurate and misleading,’ but the company eventually acquiesced and issued an apology.
‘The decision to recall both products was the right thing to do for Peloton’s Members and their families,’ Peloton CEO John Foley said early last month.
He admitted Peloton ‘made a mistake in our initial response to the Consumer Product Safety Commission’s request’ adding: ‘We should have engaged more productively with them from the outset. For that, I apologize.
‘We believe strongly in the future of at-home connected fitness and are committed to work with the CPSC to set new industry safety standards for treadmills. We have a desire and a responsibility to be an industry leader in product safety.’
In April, U.S. Consumer Product Safety Commission warned people with children and pets to immediately stop using the Tread+ made by Peloton.
The CPSC has received 22,500 reports of injuries from many different kinds of treadmills since 2019, but reports from the Tread+ were especially troubling, according to officials.
The U.S. Consumer Product Safety Commission said Wednesday that Peloton received 72 reports of adults, children pets or other items, such as exercise balls, being pulled under the treadmills.
In October 2020, Peloton previously issued a voluntary recall on pedals for 27,000 bikes after consumers reported pedals breaking off and causing more than a dozen injuries, including some requiring stitches.
Despite the incidents involving problems with equipment swirling around Peloton, the company continues to post record profits.
Peloton has posted $1 billion in sales for its second quarter fiscal results of 2021 and increased its sales outlook for the year to $4 billion as gym enthusiasts turned to the at-home fitness equipment maker due to the pandemic.
The company announced its second quarter fiscal 2021 financial results recording quarterly sales growth of 128 percent.