Report Says Hackers Can Spy on You When You’re on Your Peloton Bike, Treadmill

June
17, 2021

3 min read

The benefit of working out from the comfort of your own home is being able to sweat it out without anyone having to see you, which is especially key when putting yourself in a vulnerable state.

The fitness industry at large had to double down on at-home options and equipment amid the pandemic due to safety precautions and restrictions.

Peloton (PTON) was one of the big winners in a year that was tough for so many fitness companies, hitting its first $1 billion sales quarter in Q4 of 2020, seeing a revenue increase of 128% year-over-year at $1.06 billion.

But the recent discovery of a potential security issue that would allow hackers to spy on riders through their bike microphones and cameras could threaten to take away the privacy that loyal riders — and paying customers — value so dearly.

“The issue reported to us by McAfee requires that an attacker be able to connect directly to one of the USB ports on the tablet on the Bike+ or the Tread,” Adrian Stone, VP and head of global information security at Peloton, said in a statement on Wednesday. “They would then be able to modify the software on the device, and could then install malware or access data that is communicated between the device and our services.”

Peloton assured users that the issue was “already fixed” via a software update that all device owners will be required to install.

McAfee kept the issue “confidential” until Peloton was able to internally fix it, a partnership in communication that Peloton called an “essential collaboration.”

McAfee also released its own report on the potential hacker loophole.

“The team discovered that the Bike’s system was not verifying that the device’s bootloader was unlocked before attempting to boot a custom image,” the technological security behemoth said in a statement. “This means that the bike allowed researchers to load a file that wasn’t meant for the Peloton hardware — a command that should normally be denied on a locked device such as this one.”

Both companies explained that hackers could access Peloton’s internal system only if they had direct contact with and access to the bike via use of the USB ports located on the Bike+ and the Tread.

“At Peloton, we’re always talking about our community and our Members,” Peloton said. “Keeping in touch with the external security community is one of the ways Peloton invests in the security of our products.”

The fitness giant came under fire earlier this spring when it recalled over 125,000 of its treadmills after more than 70 people reported injuries and one child died from injuries related to the machine. 

Peloton released a new feature called “tread lock,” which locks the treadmills after 45 seconds of inactivity as a result.

The company went public at $29 per share in September 2019, giving it an $8.1 billion valuation at the time.

Peloton shares are unsurprisingly up nearly 118% year-over-year.