No one would ever think that fitness machines can be useful tools in the hands of a hacker. It is just a fitness machine, one might say. But threat actors can be creative. A Peloton Bike Plus system vulnerability has been recently detected by McAfee. The software security company bought a Peloton product and corrupted its system with malware. It worked and the machine was compromised. This helped experts to fix the bug.

Peloton Bike Plus System Vulnerability: Where It Started

McAfee’s Advanced Threat Research Team suspected a flaw in the Peloton Bike Plus system, so they decided to test it. Peloton, the American exercise equipment, and media company confirmed that McAfee’s experts warned them against a Peloton Bike Plus system vulnerability through their Coordinated Vulnerability Disclosure program.

But where can hackers hit Android and make it weak? The clue lies in the ‘fastboot boot’ special command. Through this, devices are allowed to boot a new modified image. This happens without flashing the device which means that, when rebooting, the system will revert to its rebooted software.

A good feature of the newest Android versions is that they allow users to place their machines in a locked state. However, this does not prevent maliciously coded images to be inserted into the device’s software.

Compromise the Device and Fix the Issue: the New Approach to Coping with Threats

Here is how McAfee’ s experts detected the issue:

Step 1

They bought a Peloton Bike Plus fitness machine and challenged the Android system.

Step 2:

The usual state of the Peloton Bike Plus, as I mentioned above, indicates status locked. However, this did not prevent researchers to upload a modified image. This was because of a bug that did not send correct status information to the machine.

Even though, not having the proper drivers for the machine, the image could have not been displayed properly. What is interesting here is that the modified code of the image could still run on the device.

Step 3:

Experts got a valid image, that worked properly with Peloton devices. They amended it to include the ‘su’ command which allows privileges on the machine.

Step 4:

They loaded a modified Peloton boot.img image. By getting root access, any Android application could be run on the device.

In some easy steps, the McAfee team showed how a system can be compromised and then Peloton fixed the bug. The use of the ‘boot’ command on their systems is no longer permitted in software version “PTX14A-290.”

Another way for a hacker to get access to Android would be to insert a modified boot image containing malicious code by connecting a USB device to the Peloton Bike Plus, says C|net. This could happen on a usual day at a gym. Nobody would even notice the difference, as the device will run normally. Hackers will then have the possibility to change files, set up remote backdoor access online, or install any software.

Should Cyberattacks on Fitness Machines Be Taken Seriously?

One might think that a cyberattack could never target something apparently meaningless as a fitness machine, but the creativity of cyber actors is beyond imagination nowadays and also very advanced, as cyberattacks have happened in a row recently.

Security researchers Sam Quinn and Mark Bereza declared in a statement:

However, under the hood of this shiny exterior is a standard Android tablet, and this high-tech approach to exercise equipment has not gone unnoticed.


Steve Povolny, the head of the threat research team, also pointed out the gravity of the Peloton Bike Plus vulnerability system:

And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.


This way, hackers could get access to private data, log-in credentials, bank accounts, and the identity of the users.

Home fitness was the only option during Covid-19 lockdowns. Thus, Peloton bikes became increasingly popular. According to Backlinko, there was a 22% increase in Peloton users between September and the end of December 2020, with more than 4.4 million members on the platform at the end of the year.

Any IoT you purchase can be secured. Make sure you run the newest updates and buy IoT devices from reputable sellers.

Peloton Shares Price Drop 14% After Suffering Data Breach and Recalling All Its Treadmills

Name:Wreck DNS Bugs Put IoT Devices At Risk

IoT Company Sierra Wireless Hit with Ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *