Peleton Patches Vulnerability In Camera That Allowed Spying on Riders (cnn.com) 20
McAfee has discovered a vulnerability "that allows hackers to access Peloton's bike screen," reports CNN, "and potentially spy on riders using its microphone and camera."
"However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code." According to McAfee's Advanced Threat Research team, a hacker can discreetly control the stationary bike's screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users' log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users.
"As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched," the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing... Peloton released a mandatory software update that fixes the issue to users earlier this month.
The security risk doesn't affect the lower-priced Peloton Bike because it uses a different type of touchscreen....
This report marks the second security concern for Peloton in two months. In May, the fitness firm released a security update that sealed a leak that was revealing personal account information, such as a user's age, city and weight.
"However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code." According to McAfee's Advanced Threat Research team, a hacker can discreetly control the stationary bike's screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users' log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users.
"As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched," the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing... Peloton released a mandatory software update that fixes the issue to users earlier this month.
The security risk doesn't affect the lower-priced Peloton Bike because it uses a different type of touchscreen....
This report marks the second security concern for Peloton in two months. In May, the fitness firm released a security update that sealed a leak that was revealing personal account information, such as a user's age, city and weight.
Three, actually (Score:2, Informative)
This report marks the second security concern for Peloton in two months.
In April, the U.S. Consumer Product Safety Commission issued a warning about the Tread+ treadmill [go.com]. A child was pulled under the belt and killed while the parent was on the treadmill, and so far at least 39 other incidents have been reported where both children and pets have been injured around this particular treadmill.
Re: (Score:3)
Re: (Score:2)
Granted, there's probably a lot of equipment that kills babies. But it could be one of the fewer models that doubles as an Orwellian telescreen.
Sure, better design could alleviate both of these problems. (Unless the remote access thing becomes "feature not bug", which it will, if it's not already.) Even better to avoid these problems altogether by either not getting such a machine, or keeping it locked in an exercise room where the kiddos can't get to it and it can't see anything other than jiggling jellybe
Next... (Score:3)
Information (Score:1)
Summary: give someone physical access ... (Score:2)
to a computer and they can install code that is malicious. Is this entirely unexpected ? If it were totally locked down then would we not be seeing complaints that nasty Peloton was preventing owners from customising the machine, that the owners did not really own it, etc.
I do not have one of these ... is there a login mechanism that could be used, or a superuser login ?
The end of Nekkidpeleton channel on Pornhub (Score:2)
A shame.
Re: (Score:2)
"As stupid as it is to respond to such a dumb comment did you really think people are riding naked?"
I do. It's over a 100 outside.
Secret service was right... (Score:2)
They had to demand a custom version of the software/firmware from Peloton so Michelle Obama could have one of those in the White House. I guess it was justified.
Why the fuck hell does an exercise (Score:3, Insightful)
...bike need a camera?
Re: (Score:2)
Re: (Score:2)
Also this hack seems kind of ho-hum. If somebody has physical access to the space it would be so much easier to just put their own spy cam wherever in the room, and get a better view.
Re: (Score:1)
I wonder what percent actually use that feature. Our exercycle also has a camera, and it's not a Peleton. I even put tape over the camera a half year ago, but somebody peeled it off.
Re: (Score:2)
But, Coronavirus was fantastic for them, with clubs shut down.
Re: (Score:2)
Well, the camera and connectivity and group experience is the only thing that separates peloton from other excercise bikes, so, while I understand the question, it is also kind of like saying, of Tesla, "why does a car need to be electric?"