Vulnerabilities exposed Peloton treadmills to malware and DoS attacks


The security vulnerabilities found in Peloton treadmills left them susceptible to a wide range of attacks, jeopardizing user data and opening the door to unauthorized access.

In the age of advancing technology and increasing connectivity, internet-connected gym equipment has gained significant popularity among fitness enthusiasts. However, this convenience comes with a new concern – potential security threats.

As the usage of these smart workout machines rises, experts have begun to explore their vulnerabilities, with the widely known Peloton Treadmill coming under scrutiny. It is worth noting that this is not the first time Peloton products have been found to have security vulnerabilities. Previously, researchers found a vulnerability that exposed Peloton bikes and treadmills to malware attacks.

The cybersecurity researchers at Check Point Technologies conducted an investigation into the security vulnerabilities associated with internet-connected gym equipment, focusing on the Peloton Treadmill. The findings revealed potential risks in three main attack vectors: the Operating System, the Applications, and the Malware.

The Operating System:

The Peloton Treadmill operates on the Android 10 operating system, which may be susceptible to over 1100+ potential vulnerabilities from recent years. Additionally, leaving USB debugging enabled could increase the attack surface, making it a prime target for malicious hackers seeking to compromise sensitive information.

The Applications:

Apps on the treadmill were found to have certain security flaws, such as rooting detection mechanisms that could be bypassed and hardcoded sensitive information stored in cleartext. These vulnerabilities could lead to unauthorized access, exploitation of personal data, and even denial-of-service attacks (DoS attacks).

Malware:

According to CPR’s blog post, The presence of standard APIs in the treadmill’s operating system poses a risk of malware installation, potentially turning the device into a zombie IoT that can be remotely controlled by attackers. Such a compromise could result in eavesdropping attacks and unauthorized access to the local area network.

The potential security risks are not limited to technical aspects alone. A hypothetical scenario was presented, where a high-profile individual’s treadmill is targeted by a malicious actor. Social engineering tactics were used to gain access to the individual’s network, paving the way for various cyber attacks, including stealing personal information, launching ransomware attacks, and accessing corporate credentials.

For example, during their testing, the researchers successfully compromised the built-in webcam and microphone in one of the Peloton treadmill models by using a mobile remote access tool (MRAT). This, effectively converted the treadmill into a “zombie” Internet of Things (IoT) device, under remote control from a command and control (C&C) center.

The MRAT provided the researchers with unfettered access to the treadmill’s functionalities, enabling them to not only record audio and capture images but also access geolocation data and exploit the network stack. Such unauthorized access allowed the researchers to infiltrate the local area network and carry out a multitude of malicious activities.

This is the image captured by researchers through the MRAT (Image: CPR)

Responsible Disclosure

The security findings were responsibly disclosed to Peloton, who acknowledged the reported issues. They emphasized that the concerns raised require an attacker to have physical access to the device and stated their commitment to top-level security.

To ensure the security of IoT devices, including the Peloton Treadmill, a comprehensive cybersecurity strategy is vital. Organizations can leverage solutions like Check Point’s Quantum IoT Protect, which enhances IoT device security by addressing vulnerabilities and protecting against various cyber threats.

RELATED ARTICLE

  1. Electronic Skateboards Are Easy To Hack
  2. Hackers send explicit messages to riders on hacked e-scooters
  3. Exercise tech firm Kinomap leaks 40GB database with 42M records
  4. US Military Targeted by Unsolicited Smartwatches Linked to Breaches
  5. Hackers Can Disable House Arrest Ankle Bracelet without Raising Alert



Source link