How to hack a bicycle – Peloton Bike+ rooting bug patched

2021-06-17 18:09

One problem with hacking on top-end specialised devices such as electric cars or fancy online bicycles, rather than on low-end devices such as light bulbs and webcams, is that budget and availability become an important issue.

The researchers decided to take a real-world approach for two main reasons: they didn't have another bike handy, and they were keen to look for vulnerabilities that would work out of the box against stock products, rather than needing any "Pre-hacking" to be carried out on the device.

On an unlocked device, this will probably work, but you won't be able to backup the original device content first because the unlocking process forces a device wipe, as shown in the warning screen above.

In other words, Peloton had apparently turned on all the security settings needed to protect a locked device from being rooted-and-booted, except for the one to suppress the use of the fastboot boot kernel.

A rooted Android device is open to having its system configuration changed, app permissions altered, security features overridden, and malicious apps installed.

This bug was reponsibly disclosed and Peloton pushed out a "Non-optional" update early this month, so owners of the Peloton Bike+ product should already be patched against this flaw, assuming they've gone online with the device in the past two weeks.

News URL

https://nakedsecurity.sophos.com/2021/06/17/how-to-hack-a-bicycle-peloton-bike-rooting-bug-patched/

#hack