According to McAfee, there is a security vulnerability in the Peloton Bike+ with the Android attachment and the USB stick that could allow hackers to install malware to steal information from cyclists.
Exclusive: McAfee Finds Security Vulnerability in Peloton Products
According to a post on McAfee's blog, the team reported the issue to Peloton a few months ago and the companies began working together to develop a patch. The patch has since been tested, confirmed effective on June 4, and rolled out last week. Typically, security researchers wait until vulnerabilities are patched before announcing the issue.
The exploit allowed hackers to use their own software, loaded via a USB drive, to manipulate the Peloton Bike+ operating system. They could steal information, establish remote internet access, install fake apps to trick riders into giving up personal information, and more. It was also possible to bypass the encryption on the bike’s communications, leaving other cloud services and accessed databases vulnerable.
The biggest risk from this exploit was for public Pelotons, such as those at a shared gym, where hackers could have easier access. However, private users were also vulnerable, as malicious parties could have access to the system during the bike’s construction and distribution. The new patch addresses this issue, but McAfee warns that Peloton Tread equipment, which it did not include in its research, could still be compromised.