Peloton fixes bike-hacking flaw — how to make sure your model is safe

1. Habitation
2. News
3. Security

Peloton fixes bike-hacking flaw — how to brand certain your model is prophylactic

(Prototype credit: Peloton)

Exercise-equipment maker Peloton recently fixed a software flaw in its Bike+ and Tread models that could accept allow an attacker with physical admission to the machines gain complete control. The attacker could and so accept spied on the Peloton user with the born camera and microphone, or could have installed malware on the Peloton machine itself.

"An unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched," warns a weblog post by McAfee's Advanced Threat Inquiry squad, which discovered the security flaw.

• Peloton information leak exposes users' personal data
• The all-time exercise bikes for your home
• Plus: Windows eleven leaks in full online — here'south your first await

All affected Peloton units should accept received an over-the-air security update earlier this month that fixed the flaw and took the software to version PTX14A-290.

"If you lot ain a Cycle+ or a Tread, we recommend that you log into the tablet on your device," says a Peloton weblog post about the issue. "If you're not already on the latest software, y'all will be immediately required to update your software upon logging in."

How to make sure your Peloton Bicycle+ or Tread is updated

To make certain your Peloton Bike+ or Tread model has the update, follow these instructions, as detailed on Peloton's back up page. The Peloton Bike and Tread+ models are not afflicted.

ane. Tap Settings in the upper-right-hand corner of your Peloton screen, and then tap Device Settings in the popular-up menu.

(Image credit: Peloton)

2. Tap System in the Settings screen.

(Epitome credit: Peloton)

three. Tap System Updates in the System screen.

(Epitome credit: Peloton)

A dialogue box will pop upwards that tells you either that your device is upward-to-date, or that an update is available. In the latter case, you will be prompted to begin the update process.

The Bike and Tread+ models, which are not affected by the flaw existence discussed hither, can be updated in more or less the same way, except that in Step 2 you tap About Tablet rather than System.

What happened with this Peloton security flaw

Without getting too far into the weeds, the McAfee hack was rather simple and was found via trial and error. (The technical details are in this split McAfee blog mail if you're interested.)

The touchscreens on all Peloton models are Android tablets with a modified interface. McAfee found that Peloton had indeed taken the necessary security precautions and locked the tablet bootloaders so that the Android operating organisation could not be tampered with.

Unremarkably, that would mean the end of the line for an attacker. Nonetheless, the McAfee researchers were able to partly boot the tablets into a different version of Android by plugging in a USB-C bulldoze loaded with a custom bootloader and accessing the Android tablet's recovery screen past pressing the power and volume-up buttons at the same time.

That method resulted in a black screen, but it showed that the bootloader-lock could be bypassed. And then the McAfee researchers then grabbed an before Peloton firmware update, extracted a boot image, loaded it onto their USB drive and found they could boot the tablet from the USB bulldoze.

From there, they were able to modify the Peloton kick epitome to add together a "sudo" command, which grants temporary root access to any user on a Linux system, which Android is under the hood.

Root access lets the user get complete control of a system and have the power to install apps, change vital configurations or change the operating organisation itself.

Because the McAfee researchers were able to install their modified boot image on their Bike+ unit, they would take permanent, remotely accessible control over the machine. Hither's a video of the end effect.

A few big 'ifs'

This is obviously pretty serious, but there are a couple of caveats. Starting time of all, the attacker needs a couple of minutes alone with the Peloton machine to acquit out this attack. Information technology can't just happen over the air.

Second, McAfee put frontward the scenario of a criminal wandering around an empty gym sticking USB-C drives into random Peloton machines to hack them. Merely a Peloton spokesperson told us that the visitor "does not currently offering Peloton Bike+ or Tread for commercial utilize" — the very models susceptible to this flaw.

That does exit open up the possibility of more individual attacks involving Peloton machines sold to consumers. For case, the husband in that Peloton Goggle box ad that went viral during the 2019 holiday season could have used this flaw to spy on his wife, or vice versa. Simply then again, either spouse could easily have spied on the other in a dozen other means.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the data-security space for more than than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upward in random Tv news spots and even moderated a console give-and-take at the CEDIA abode-applied science conference. You tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/peloton-bike-plus-flaw

Posted by: pettiesblecliked1962.blogspot.com

Share this post