Exclusive: McAfee finds security vulnerability in Peloton products

Liat Weinstein and Vicky Nguyen

In this article

Cari Gundee rides her Peloton exercise bike at her home in San Anselmo, California, April 6, 2020.
Ezra Shaw | Getty Images

Software security company McAfee said it exposed a vulnerability in the Peloton Bike+ that allowed attackers to install malware through a USB port and potentially spy on riders.

The Advanced Threat Research Team at McAfee said the problem stemmed from the Android attachment that accompanies the Peloton stationary exercise Bike+. McAfee said attackers could access the bike through the port and install fake versions of popular apps like Netflix and Spotify, which could then fool users into entering their personal information.

More from NBC News:
Chrissy Teigen has a history of bullying. Her targets are speaking out
Extreme heat in the West could produce temps up to 127 degrees
Iowa man convicted of assault over mask fight sentenced to 10 years

A Peloton Bike+ in a public, shared place, such as a hotel or a gym, would be especially vulnerable to the attack.

"The flaw was that Peloton actually failed to validate that the operating system loaded," said Steve Povolny, head of the threat research team. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam."

Povolny said there are "interactive maps" online showing Peloton bikes and treadmills in the U.S., which can give attackers an easy way to find those in public spaces and eventually access users' accounts. Hackers could then upload a "completely customized malicious image" that would eventually grant them access to a rider's microphone, camera and apps, he said.

"Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information," Povolny said.

Peloton confirmed in a statement that engineers from McAfee alerted them to the problem "via our Coordinated Vulnerability Disclosure program" and said they were working with the security company to fix the issue. McAfee said it disclosed the vulnerability to Peloton about three months ago and heard back from the company within a couple of weeks.

"McAfee reported a vulnerability to us that required direct, physical access to a Peloton Bike+ or Tread to exploit the issue," the exercise equipment company said in a statement. "Peloton also pushed a mandatory update to affected devices last week that addressed this vulnerability."

Experts say any device that connects to the internet — like a TV, an appliance or even a toy — could be a way for hackers to get your personal data. Cybersecurity experts say you should turn on automatic software updates and consider security software for your home network.

Peloton recalled its Tread+ and Tread treadmills early last month, citing safety concerns that arose after numerous people were injured and a child died. The Consumer Product Safety Commission, or CPSC, had urged parents to stop using the Tread+ in an "urgent warning" it issued April 17.

"CPSC staff believes the Peloton Tread+ poses serious risks to children for abrasions, fractures, and death," a CPSC statement read. "In light of multiple reports of children becoming entrapped, pinned, and pulled under the rear roller of the product, CPSC urges consumers with children at home to stop using the product immediately."

Peloton initially rebuked the CPSC's statement, saying its advice to all parents was "inaccurate and misleading." The company later apologized for not having immediately followed the agency's advice.

After the recall of nearly 125,000 treadmills on May 5, Peloton updated its software to require users to enter a code to restart the belt if it has been left unmoving for up to 45 seconds.