"Multiple Security Issues Identified in Peloton Fitness Equipment"

Security researchers at Check Point have discovered that internet-connected Peloton fitness equipment is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware.  The researchers analyzed the software running on the Peloton Treadmill and revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device.  The treadmill runs Android 10, which does not contain patches for more than 1,000 vulnerabilities that have been addressed in the operating system over the past three years.  Furthermore, the device was found to have USB debugging enabled, meaning that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely.  The researchers noted that an attacker could use specific commands to exfiltrate data from the treadmill, or they could exploit the existing applications, which are compiled using different SDK versions.  Applications can also be fetched for reverse engineering and for extracting secrets.  According to the researchers, some applications on the device incorporate rooting detection mechanisms, but an attacker could use certain techniques to identify further vulnerabilities in the applications at runtime.  Additionally, the researchers identified hardcoded sensitive information on the device, such as a license key for a text-to-speech voice service.  The service could be abused for denial-of-service (DoS).  The researchers noted that certain unprotected services were also identified on the treadmill, potentially allowing malicious applications to escalate privileges and gain access to sensitive data or to abuse broadcast receivers and send the device into an infinite loop, preventing updates.  The researchers also discovered “differences in the signature scheme of the installed apps,” which could potentially expose the device to malicious attacks.  The researchers stated that the treadmill operating system includes numerous standard APIs that can be exploited to execute Android code, allowing attackers to carry out nefarious actions from a networking perspective and take advantage of the device’s always-on nature.  Moreover, the presence of a webcam and microphone makes the treadmill vulnerable to eavesdropping attacks if malware is installed.  The researchers were able to sideload a mobile remote access tool (MRAT) on the device, gaining full access to the treadmill’s functionality, including audio recording, taking photos, accessing geolocation, and abusing the network stack.  According to the researchers, the compromised device also provided “full access to the local area network,” which could be leveraged for additional malicious activities.  After being informed of these issues, Peloton told the researchers that “they meet expected security measures for Android-based devices,” pointing out that physical access is required for exploitation.

SecurityWeek reports: "Multiple Security Issues Identified in Peloton Fitness Equipment"