Security News > 2021 > June > Peloton Bike+ vulnerability allowed complete takeover of devices
A vulnerability in the Peloton Bike+fitness machine has been fixed that could have allowed a threat actor to gain complete control over the device, including its video camera and microphone.
Peloton is the manufacturer of immensely popular fitness machines, including the Peloton Bike, Peloton Bike+, and the Peloton Tread. In a new report released by McAfee, researchers explain how they purchased a Peloton Bike+ to poke at the underlying Android operating system and see if they could find a way to compromise the device.
Roid allows devices to boot a modified image using a special command called 'fastboot boot,' which loads a new boot image without flashing the device and enable the device to revert to its default boot software on reboot.
While Peloton correctly set the device to a locked state, McAfee researchers discovered that they could still load a modified image as a bug was preventing the system from not verifying if the device was unlocked.
You may be wondering what the big deal is about a vulnerability in a Peloton as it is not a device where sensitive data is stored or where you log in to your bank and email accounts.
While it is improbable that Peloton devices would be compromised using this vulnerability and physical access was required, the video below illustrates how McAfee was able to easily load the modified boot image on a Peloton Bike+.