Does Peloton have a security problem?
A security vulnerability was identified that allows hackers to take control of the Peloton Bike+. How bad is the issue and what does it mean for Peloton and home fitness?
What’s the issue?
Peloton’s software uses a version of Google’s Android platform. Security researchers at McAfee published a video of a hack that provides full control of the Bike+. This will allow hackers full access to the system and install software to spy on the user. It’s worth noting that this requires physical access to the bike. It’s conceivable that a gym or shared Peloton could be venerable to this hack. Peloton has issued a software patch to fix the vulnerability. Below is the video McAfee shared:
“Once I’ve got access to it, I can potentially have complete control over that particular device,” a McAfee spokesperson said.
“You can take control of the camera, watch someone running day in, day out, or when they go to their login details I could capture those. It is a fundamental vulnerability.”
Why does this matter?
As a society that relies on technology we’re used to the potential dangers of hackers. Most of us care about our data and privacy and expect companies like Peloton to maintain a secure product. In this instance the risk is minimal unless someone gains physical access to your Peloton. But there’s still a degree of reputational damage to Peloton brand as it’s a premium product with some affluent members. Perhaps the most worrying aspect of the hack is someone using your Peloton to spy on you, which is conceivable. It’s convenient not to be seen by others when you’re pushing yourself to the limit in a workout. Celebrities and politicians are Peloton members and the potential for blackmail is a real possibility.
As Peloton’s reach is expanded to more public locations like gyms and hotels, security vulnerabilities become more of a concern. As this attack requires physical access, a Peloton in a shared location presents an opportunity for a hacker. Login details could be stolen causing a data breach.
Privacy in the home
Peloton has webcam and microphones built into the device. Peloton’s Bike+ has a privacy shield that turns the webcam off. However, microphones don’t offer the same functionality, making it possible for a hacker gain to access, potentially monitoring private conversations.
But these issues aren’t unique to Peloton; Smart speakers like Amazon’s Echo, smart TVs and mobile phones are all listening to us, every minute of every day. We trust the companies such as Amazon and Google to protect our privacy and prevent unauthorised access to any data captured.
What does the secret service say?
President Biden is known to be a Peloton member, but it was suggested his bike would required modifications by the secret service to prevent cyber espionage. Peloton’s camera and microphones would need to be removed and President Biden would need to create an alias for use in the leader board.
It’s rumoured that Michelle Obama has similar modifications to her Peloton to prevent unwanted eavesdropping.
Homeland style assassination
There’s another reason the secret service should be worried about connected technology. In what felt like far fetched fiction, drama series Homeland showed an attack on the president. It used a treadmill to interfere with the presidents pacemaker, causing a fatal heart attack in the process. In in intriguing turn of events, it was widely reported that vice president Chaney was advised by his doctors and security detail to disable wireless access to his pacemaker to prevent such an attack. Thankfully fantasy in this case, but the chances of home fitness equipment being used to attack a sitting president are a scary but real scenario the secret service must consider.
How has Peloton reacted?
After being notified of the security vulnerability, Peloton acted quickly to issue an over the air software fix.
Peloton’s operating system is built on Google’s Android platform. Whilst Android has gone someway to address security issues, its primary use was to aid Google in capturing the data from billions of smartphones around the world. Android is an open system that trusts the user and its community of developers to do the right thing. Because of this open nature security vulnerabilities are more common and Peloton must work quickly to patch any known threats. But for damage is minimal and Peloton becomes another in a long list of companies exposed to hackers.
If you enjoyed this newsletter, subscribe to receive future editions directly in your inbox, every week. I write analysis on Peloton and home fitness.