Hacked While Exercising? Peloton Users Were Vulnerable

Where there’s a hacker, there’s a way. Peloton owners have been in danger of being hacked by bad actors.

Cybersecurity company McAfee recently revealed a vulnerability that allows hackers to gain remote access to electronic exercise bikes. What’s that mean for you? Let’s take a closer look.

McAfee Discovers a Peloton Problem

Peloton bikes have been making waves for their advanced technology and digital user interfaces. Each exercise bike comes equipped with an Android tablet.

Yesterday, McAfee writers revealed that the company found a flaw in the Android Verified Boot (AVB) process that leaves Peloton owners vulnerable.

The report revealed that hackers could remotely access Peloton products and tap into the microphones and cameras. Hackers can also add apps that look like Spotify or Netflix but are just phishing disguises to get users to give away their login information.

McAfee made a video detailing the situation:

The report stated that bikes could be affected at any point, from construction to the warehouse to delivery.

McAfee notified Peloton of the vulnerability in March.

Peloton’s Head of Global Information Security, Adrian Stone, responded:

This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.

Peloton Has Problems Outside of Getting Hacked

This vulnerability is just the latest of a slew of bad news for Peloton. Its treadmill rollout did not go as planned. The company recalled some of its treadmills after receiving reports of over 70 injuries and the death of a 6-year-old. These objects and people were being pulled under the machines.

The company’s CEO John Foley pushed back against the federal government’s call for a recall. He later obliged.

Around the same time, a different security company discovered that hackers could access sensitive information from Peloton users, including:

  • User IDs
  • Instructor IDs
  • Group membership
  • Location
  • Workout stats
  • Gender and age
  • If they are in the studio or not
Peloton users get the bad news. | Source: Twitter

Despite these issues, the firm had an excellent pandemic where it increased revenue exponentially.

If you own a Peloton, be sure to freshen up your knowledge of cybersecurity hygiene and familiarize yourself with phishing attempts.

And if you think you’ve been hacked, don’t hesitate to reach out to us today.

Featured image by Maridav from