Peloton Fitness Equipment Hacking

12175432053?profile=RESIZE_400xPeople interested in physical fitness and losing a couple of pounds have one more thing to worry about besides a visit to the bathroom scale.  Internet-connected Peloton fitness equipment is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware.

An analysis of the software running on the Peloton Treadmill has revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device.

The treadmill runs Android 10, which does not contain patches for more than 1,000 vulnerabilities that have been addressed in the operating system over the past three years.  The device was found to have USB debugging enabled, meaning that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely.

Shell is fully accessible, which means that the application can be fetched for further security analysis. Cybercriminals could exploit vulnerabilities on apps and take advantage of the embedded binaries in /shell to make lateral movements.

An attacker could use specific commands to exfiltrate data from the treadmill, or they could exploit the existing applications, which are compiled using different SDK versions. Applications can also be fetched for reverse engineering and for extracting secrets.

According to researchers, some applications on the device incorporate rooting detection mechanisms, but an attacker could use certain techniques to identify further vulnerabilities in the applications at runtime.

You might not think much about the security of your appliances compared to other high-tech gadgets you may own. Rightfully so, given the limited interactions we have with them. Momentum in the smart home space over the last several years, however, has led to always-connected devices. From robot vacuums that autonomously clean our homes, to Wi-Fi enabled air conditioners that can be operate through voice assistants, there is no denying the lifelong conveniences they offer.

The rush to evolve the smart home has some unintended consequences. Privacy and security are paramount for security cameras, highlighted by Ring’s hacking woes last year. With smart appliances, the concern around hacks center on safety.

While it is unlikely that you will be physically harmed by coming to an extra toasty home because your smart thermostat was hacked, there are other malicious hacks that can put you at risk.   Reports of appliance hacks are relatively sparse. There has not been a substantial hack or enough devices affected to warrant fear about compromised smart appliances, for now. Unlike other smart home devices that have made headlines due to hacks, appliances have avoided a major headline problem.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance. com    

Weekly Cyber Intelligence Briefings:

 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

 TR-23-213-003.pdf

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!