Connect with us

Hi, what are you looking for?


IoT Security

Multiple Security Issues Identified in Peloton Fitness Equipment

Internet-connected Peloton workout equipment is impacted by multiple security risks, such as having USB debugging enabled.

Peloton vulnerabilities

Internet-connected Peloton fitness equipment is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware, cybersecurity firm Check Point reports.

An analysis of the software running on the Peloton Treadmill has revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device.

The treadmill, Check Point explains, runs Android 10, which does not contain patches for more than 1,000 vulnerabilities that have been addressed in the operating system over the past three years.

Furthermore, the device was found to have USB debugging enabled, meaning that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely.

“Shell is fully accessible, which means that the application can be fetched for further security analysis. Cybercriminals could exploit vulnerabilities on apps and take advantage of the embedded binaries in /shell to make lateral movements,” Check Point explains.

An attacker could use specific commands to exfiltrate data from the treadmill, or they could exploit the existing applications, which are compiled using different SDK versions. Applications can also be fetched for reverse engineering and for extracting secrets.

According to Check Point, some applications on the device incorporate rooting detection mechanisms, but an attacker could use certain techniques to identify further vulnerabilities in the applications at runtime.

Advertisement. Scroll to continue reading.

Additionally, the cybersecurity firm identified hardcoded sensitive information on the device, such as a license key for a text-to-speech voice service. The service could be abused for denial-of-service (DoS), Check Point says.

Certain unprotected services were also identified on the treadmill, potentially allowing malicious applications to escalate privileges and gain access to sensitive data, or to abuse broadcast receivers and send the device into an infinite loop, preventing updates.

The security firm also discovered “differences in the signature scheme of the installed apps”, which could potentially expose the device to malicious attacks.

“The treadmill operating system includes numerous standard APIs that can be exploited to execute Android code, allowing attackers to carry out nefarious actions from a networking perspective and take advantage of the device’s always-on nature. Moreover, the presence of a webcam and microphone makes the treadmill vulnerable to eavesdropping attacks if a malware is installed,” Check Point says.

The cybersecurity firm was able to sideload a mobile remote access tool (MRAT) on the device, gaining full access to the treadmill’s functionality, including audio recording, taking photos, accessing geolocation, and abusing the network stack.

According to Check Point, the compromised device also provided “full access to the local area network”, which could be leveraged for additional malicious activities.

Using social engineering, Check Point notes, an attacker could gain access to a high-profile individual’s treadmill, either at their household or office, and could then install a backdoor on the device, thus gaining access to the network.

“With this access, the attacker can carry out lateral movement, steal personally identifiable information, launch ransomware attacks, access corporate credentials, or perform a denial-of-service attack. Essentially, once the attacker has remote control over the treadmill, they have a significant advantage and can escalate their attack surface,” Check Point notes.

After being informed of these issues, Peloton told Check Point that “they meet expected security measures for Android-based devices,” pointing out that physical access is required for exploitation.

Related: Perimeter81 Vulnerability Disclosed After Botched Disclosure Process

Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution

Related: Critical Vulnerability Can Allow Takeover of Mastodon Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.