Internet-connected Peloton fitness equipment is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware, cybersecurity firm Check Point reports.
An analysis of the software running on the Peloton Treadmill has revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device.
The treadmill, Check Point explains, runs Android 10, which does not contain patches for more than 1,000 vulnerabilities that have been addressed in the operating system over the past three years.
Furthermore, the device was found to have USB debugging enabled, meaning that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely.
“Shell is fully accessible, which means that the application can be fetched for further security analysis. Cybercriminals could exploit vulnerabilities on apps and take advantage of the embedded binaries in /shell to make lateral movements,” Check Point explains.
An attacker could use specific commands to exfiltrate data from the treadmill, or they could exploit the existing applications, which are compiled using different SDK versions. Applications can also be fetched for reverse engineering and for extracting secrets.
According to Check Point, some applications on the device incorporate rooting detection mechanisms, but an attacker could use certain techniques to identify further vulnerabilities in the applications at runtime.
Additionally, the cybersecurity firm identified hardcoded sensitive information on the device, such as a license key for a text-to-speech voice service. The service could be abused for denial-of-service (DoS), Check Point says.
Certain unprotected services were also identified on the treadmill, potentially allowing malicious applications to escalate privileges and gain access to sensitive data, or to abuse broadcast receivers and send the device into an infinite loop, preventing updates.
The security firm also discovered “differences in the signature scheme of the installed apps”, which could potentially expose the device to malicious attacks.
“The treadmill operating system includes numerous standard APIs that can be exploited to execute Android code, allowing attackers to carry out nefarious actions from a networking perspective and take advantage of the device’s always-on nature. Moreover, the presence of a webcam and microphone makes the treadmill vulnerable to eavesdropping attacks if a malware is installed,” Check Point says.
The cybersecurity firm was able to sideload a mobile remote access tool (MRAT) on the device, gaining full access to the treadmill’s functionality, including audio recording, taking photos, accessing geolocation, and abusing the network stack.
According to Check Point, the compromised device also provided “full access to the local area network”, which could be leveraged for additional malicious activities.
Using social engineering, Check Point notes, an attacker could gain access to a high-profile individual’s treadmill, either at their household or office, and could then install a backdoor on the device, thus gaining access to the network.
“With this access, the attacker can carry out lateral movement, steal personally identifiable information, launch ransomware attacks, access corporate credentials, or perform a denial-of-service attack. Essentially, once the attacker has remote control over the treadmill, they have a significant advantage and can escalate their attack surface,” Check Point notes.
After being informed of these issues, Peloton told Check Point that “they meet expected security measures for Android-based devices,” pointing out that physical access is required for exploitation.
Related: Perimeter81 Vulnerability Disclosed After Botched Disclosure Process
Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution
Related: Critical Vulnerability Can Allow Takeover of Mastodon Servers