Peloton bikes are vulnerable to malware attacks: report

Peloton bikes are vulnerable to malware attacks that could enable creeps to spy on riders through their webcams, according to a report.

Software security company McAfee said hackers could potentially spy on Peloton bikers by tricking them into installing “malicious apps disguised as Netflix and Spotify,” according to research the company released on Wednesday.

A hacker, according to the report, could enter a gym and insert a tiny USB key into the bikes that would give a criminal remote access to the rider’s personal information.

“An unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” according to the report.

Peloton, for it’s part, said that the bikes in question — the  Peloton Bike+ or Tread — are not sold to commercial businesses like gyms, but the company could not confirm that commercial businesses don’t use those bikes. 

Hackers could install these USBs anywhere in the supply chain, from construction to delivery, which would put consumers who own the pricey bikes at risk as well, McAfee says.

Peloton bike
McAfee says the Peloton riders could be duped into downloading the malware by installing fake Netflix and Spotify apps.
Bloomberg via Getty Images

It’s not the first time Peloton has been seen as a security risk.

In January, president Biden was warned not to bring his favorite exercise bike to the White House, according to reports, because hackers might be able to view him and access information during his workouts.

Peloton’s own security and compliance page warns that “no matter how much effort we put into system security, there can still be vulnerabilities present.”

The latest security flaw impacts Android tablet users, the McAfee Advanced Threat Research group found. McAfee said it alerted Peloton to the problem several months ago.

In a blog post on Wednesday, Peloton acknowledged the McAfee finding and said it had addressed the issue. Consumers would be prompted to update their software which would include a fix to the problem, according to the post.

The post also thanks McAfee for “discovering” the problem “and for keeping it confidential to help keep our Members safe until we implemented a fix.”

The security concerns have surfaced following a massive product recall over safety last month after 70 customers reported injuries from using the treadmills and a child died.

The Consumer Product Safety Commission issued an “urgent” warning to parents to stop using the Tread+ because of the risk to young children. As part of its warning the CPSC provided a horrific video showing a toddler being sucked under the machine. 

Leave a Comment