Peloton Bike+ Plagued by Bootloader Vulnerability Giving Actors Root Access

  • McAfee researchers discovered that it’s possible to run custom OS images on Peloton Bike+.
  • This should be prevented by AVB, which is in place, but a bug in its implementation allows the exploit.
  • Peloton addressed the flaw via an update quickly after receiving McAfee’s report, so you should update your device now.

If you own and use a Peloton Bike+, you should apply the available patches immediately, updating to software version “PTX14A-290” or later. This release fixes a critical bootloader vulnerability discovered and reported to Peloton by McAfee’s Advanced Threat Research team, and which opened up an entire set of exploitation potential for malicious actors.

That would include spying on the user through the device’s microphone and camera, accessing personal data on the fly, installing additional software or modifying the existing (via root-level access), perform “man in the middle” attacks, sniff network traffic, and more.

The problems begin with a bypass of the Android Verified Boot process to fully compromise the Android OS that runs on the Peloton Bike+. Typically, that would happen by planting a malicious booting agent, which would run a modified OS image that gives the actor elevated privileges.

Practically, this requires physical access to the device, but considering the type of the product, one would have numerous tampering opportunities. From service and maintenance technicians to warehouse storage or retail store employees, a large number of people could potentially plant a malicious image before the device is even bought and set up.

McAfee’s researchers used a generic TWRP recovery image while exploring various system backup methods, and to their surprise, they found that it got past the fastboot boot command. This was a sign that custom images weren’t verified properly by the Android Verified Boot system.

Next, they acquired an image from an OTA (over the air) update as they still needed a valid kernel and drivers for the device, modified it for attacking scenarios, and then loaded it to the Bike+. Since they had incorporated the “su” command on the new image, they could easily gain root-level access to all functions of the system.

Source: McAfee

Peloton’s fix addresses the AVB check gap and prevents all third-party builds from running on the device, so the mitigation covers all possible iterations of the attack. In this case, the protection system (AVB) was actually in place, but it didn’t work properly due to a bug. If it wasn’t for McAfee’s digging, it could have gone unnoticed and potentially exploited for a long time.

Last month, a security researcher discovered API access flaws in the Peloton network, enabling anyone to freely access sensitive data about Peloton users without leaving a trace or indication. Peloton was characteristically slow in admitting and addressing the reported flaw, leaving its entire userbase pray to malicious actors for a total of four months. In the case of the bootloader though, the fixing came a lot quicker.

How to Watch Shelved Online: Stream the 2023 Series from Anywhere
Shelved is a Canadian television sitcom, and we have the premiere date, episode release schedule, plot, cast, and more. Plus, it will...
How to Watch Street Outlaws: Fastest in America Season 4 Online from Anywhere
It’s race time again! Street Outlaws: Fastest in America Season 4 is returning with extra punch, more money to win for racers,...
How to Watch Killer Cheer Online: Stream True Crime Series from Anywhere
Killer Cheer is a new crime series that is going to make its debut this month. When you watch this series, you’ll...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari