Software security firm McAfee said it exposed a vulnerability in the Peloton Bike+ that allowed attackers to install malware through a USB port and potentially spy on riders.
McAfee’s Advanced Threat Research Team said the problem stemmed from the Android attachment that comes with the Peloton Stationary Exercise Bike+. McAfee said attackers could access the bike through the gate and install fake versions of popular apps like Netflix and Spotify, which could then trick users into entering their personal information.
More from NBC News:
Chrissy Teigen has a history of bullying. Her goals speak out
Extreme heat in the west can bring temperatures up to 127 degrees
Iowa man convicted of assault after mask fight sentenced to 10 years
A Peloton Bike+ in a public, shared place, such as a hotel or gym, would be particularly vulnerable to the attack.
“The error was that Peloton couldn’t validate that the operating system was loading,” said Steve Povolny, head of the threat research team. “And what that ultimately means is that they can install malicious software, create Trojans and give themselves backdoors in the bike, and even access the webcam.”
Povolny said there are “interactive maps” online showing Peloton bikes and treadmills in the US that could provide attackers with an easy way to find those in public areas and ultimately access users’ accounts. Hackers could then upload a “completely modified malicious image” that would eventually give them access to a rider’s microphone, camera and apps, he said.
“You couldn’t just spy on riders, but, perhaps more importantly, their environment, sensitive information,” Povolny said.
Peloton confirmed in a statement that McAfee engineers had alerted them to the issue “through our Coordinated Vulnerability Disclosure Program” and said they were working with the security company to resolve the issue. McAfee said it disclosed the vulnerability to Peloton about three months ago and heard from the company within a few weeks.
“McAfee reported to us a vulnerability that required direct, physical access to a Peloton Bike+ or Tread to exploit the issue,” the fitness equipment company said in a statement. “Peloton also pushed a mandatory update to affected devices last week that addressed this vulnerability.”
Experts say that any device that connects to the Internet, such as a TV, appliance, or even a toy, could be a way for hackers to get your personal information. Cybersecurity experts say you should enable automatic software updates and consider security software for your home network.
Peloton recalled its treadmills Tread+ and Tread early last month, citing safety concerns that arose after countless people were injured and a child died. The Consumer Product Safety Commission, or CPSC, had urged parents to stop using the Tread+ in an “urgent warning” it issued on April 17.
“CPSC staff believe that Peloton Tread+ poses serious risks to children for abrasions, fractures and death,” said a CPSC statement. “In light of multiple reports of children being trapped, restrained and pulled under the rear roller of the product, CPSC is urging consumers with children at home to stop using the product immediately.”
Peloton initially rebuked the CPSC’s statement, saying the advice to all parents was “inaccurate and misleading.” The company later apologized for not immediately following the agency’s advice.
Following the May 5 recall of nearly 125,000 treadmills, Peloton has updated its software to require users to enter a code to restart the belt after it has been stationary for up to 45 seconds.