A recent study conducted by researchers from Check Point Software has revealed that Peloton treadmills have the potential to leak sensitive data and serve as an entry point for cyberattacks. The researchers found that attackers can exploit the operating system (OS), applications, or APIs of the Internet-connected fitness equipment to load various types of malware and gain unauthorized access.
By compromising a Peloton treadmill through any of these attack vectors, not only can an attacker expose a user’s personal data but they can also use the machine’s connectivity to infiltrate corporate networks and launch high-level attacks such as ransomware. The researchers reported their findings in a blog post written by Check Point’s Augusto Morales, Shlomi Feldman, and Mitch Muro.
Peloton is best known for its stationary bicycle and related application, which gained immense popularity during the COVID-19 pandemic. The company also offers the Peloton Tread, a treadmill device that runs on the Android operating system (OS). The researchers focused their investigation on this particular device.
The study revealed that the use of Android OS exposes the Peloton Tread to vulnerabilities commonly found in Android devices. Furthermore, the treadmill is operating several versions behind the latest Android 13, specifically running on Android 10. This outdated OS version potentially exposes the treadmill to over 1,100 vulnerabilities from 2022 and 2023 alone, increasing the risk of compromise.
One vulnerability highlighted by the researchers involves enabling USB debugging on the Peloton Tread’s OS, which allows a threat actor to gain access to the shell and obtain a list of all installed packages on the OS. This access provides ample opportunities for further exploitation and lateral movement within the device.
Additionally, attackers can exploit the application layer by bypassing rooting detection measures and discovering vulnerabilities within the apps. The researchers provided an example of exposed license keys in embedded text-to-speech services, which can be exploited for denial-of-service attacks. Attackers can also launch escalation-of-privilege attacks to gain access to personal data by exploiting unprotected services running on the Peloton platform.
The researchers also found that the Peloton Tread’s APIs can be exploited to execute Android code, enabling attackers to leverage the device’s always-on nature for malicious networking actions. The same APIs can be used to install malware that compromises the treadmill’s webcam and microphone, allowing for eavesdropping attacks. The researchers successfully compromised the Peloton Tread by sideloading a mobile remote access tool, demonstrating the potential for complete control of the device.
One particularly concerning aspect of a Peloton treadmill being used as an entry point to an enterprise network is the difficulty in detecting such an attack. As a home workout machine, it is unlikely that anyone would suspect it as the source of compromise for a work network. This gives malicious actors ample time to cover their tracks and carry out their malicious activities undetected.
To mitigate the risks associated with using Peloton treadmills or other IoT devices, it is crucial for users to gain a thorough understanding of the software components of their devices and implement comprehensive security protocols. For enterprises, network administrators should implement solutions that protect against vulnerabilities and threats posed by IoT-connected devices. This includes monitoring communications across IoT devices, implementing zero-trust access policies, and flagging and blocking suspicious connection attempts.
As the popularity of IoT devices continues to grow, the importance of ensuring their security cannot be overstated. Manufacturers and users alike must remain vigilant and proactive in addressing potential vulnerabilities to prevent cyberattacks and protect sensitive data.