Is your workout equipment hackable?
In a recent report, Check Point security experts have revealed concerning vulnerabilities found in internet-connected workout equipment, particularly the widely popular Peloton Treadmill.
The findings shed light on potential security threats posed by these advanced exercise machines, which could grant malicious actors access to user databases, exposing sensitive data of Peloton users.
Simply out, you have a hackable workout equipment.
The investigation conducted by the experts emphasizes the significance of understanding non-typical ways to compromise IoT devices, considering the increasing prevalence of internet-connected gym equipment.
With more devices connected to the internet, it becomes imperative to recognize and mitigate potential risks associated with these devices.
The report highlights three main attack vectors: The Operating System, The Applications, and Malware, each exposing various security vulnerabilities.
This is not the first time that Peloton workout equipment has been featured in the cybersecurity news for the wrong reasons.
Cybersecurity firm McAfee in 2021 identified a critical vulnerability in Peloton’s Bike+ line and Tread exercise equipment.
This vulnerability could potentially grant an attacker complete and undetected access to the device, including its camera and microphone.
Workout equipment hackable? Highly possible!
The tested Peloton Treadmill operates on the Android 10 operating system, based on build number QT.22082.A.
However, the fact that the latest available Android version is Android 13 leaves the treadmill potentially susceptible to over 1100+ vulnerabilities from 2022 and 2023 alone.
One significant concern is that malicious actors could enable USB debugging and gain access to the treadmill’s shell, increasing the attack surface and exposing the device to potential exploitation.
The applications running on the Peloton Treadmill were found to have certain security flaws.
Some apps incorporate rooting detection mechanisms to prevent unauthorized software from running on the device, but techniques to bypass this detection were discovered.
Additionally, hardcoded sensitive information and text-to-speech voice services with cleartext storage pose security risks.
Unprotected services could escalate privileges, potentially granting access to personal data, while broadcast receivers could facilitate malicious control over the treadmill.
“Once access is granted, the attacker can quickly install a backdoor on the treadmill and gain access to the network,” said the CheckPoint report.
“With this access, the attacker can carry out lateral movement, steal personally identifiable information, launch ransomware attacks, access corporate credentials, or perform a Denial-of-Service attack.”
Malware for workout equipment
The presence of standard APIs in the treadmill’s operating system makes it susceptible to malware attacks.
The researchers successfully compromised the treadmill by sideloading a mobile remote access tool (MRAT), essentially turning it into a remotely controlled IoT device capable of eavesdropping, recording audio, and accessing geolocation data.
“Since the compromised treadmill is difficult to detect, it is highly unlikely for investigators to suspect it as the source of the attack,” said the Check Point report.
“Even if the compromised treadmill is discovered, the malicious actor may have already covered their tracks and accomplished their goal.”
To address these vulnerabilities responsibly, Check Point disclosed their findings to Peloton.
In response, Peloton stated that the reported issues meet expected security measures for Android-based devices and pertain to scenarios requiring physical access to the device.
“We have reviewed the reported issues and determined that they meet expected security measures for Android-based devices,” said the Peloton statement to CheckPoint.
“The concerns raised in this report pertain to scenarios that require an attacker to have physical access to the device.”
Check Point recommends developing a comprehensive cybersecurity strategy and using solutions like Quantum IoT Protect to safeguard IoT devices from emerging threats.
By gaining visibility into connected IoT devices and establishing autonomous zero-trust access policies, organizations can protect against potential cyber-attacks and ensure the safety and reliability of their IoT ecosystem.