In a report released Wednesday, cybersecurity company McAfee discovered a vulnerability that allows hackers to access Peloton’s bike screen and potentially spy on riders using its microphone and camera. However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code.
According to McAfee’s Advanced Threat Research team, a hacker can discreetly control the stationary bike’s screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users’ log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users.
“As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing.
Internet-connected devices, whether they are bikes, computers or even refrigerators, are all susceptible to hacks. Cyberattacks have increasingly caught the public’s attention, with high-profile companies including McDonald’s, Microsoft and Electronic Arts publicly revealing recent security breaches.
McAfee said it pored over Peloton’s software with a “critical eye” to find vulnerabilities and warn users. The two companies worked together to “responsibly develop and issue a patch.”
Peloton released a mandatory software update that fixes the issue to users earlier this month. The security risk doesn’t affect the lower-priced Peloton Bike because it uses a different type of touchscreen.
This is an important reminder for users of all connected devices to activate automatic software updates to keep them protected against the latest attacks, according to McAfee.
“Stay on top of software updates from your device manufacturer, especially since they will not always advertise their availability,” McAfee’s researchers said. “Visit their website regularly to ensure you do not miss news that may affect you.”
This report marks the second security concern for Peloton in two months. In May, the fitness firm released a security update that sealed a leak that was revealing personal account information, such as a user’s age, city and weight. News of that bug was released the same day Peloton recalled its treadmill after a child died and others were injured while the machine was operating.