Hacked While Exercising? Peloton Users Were Vulnerable


Where there’s a hacker, there’s a way. Peloton owners have been in danger of being hacked by bad actors.

Cybersecurity company McAfee recently revealed a vulnerability that allows hackers to gain remote access to electronic exercise bikes. What’s that mean for you? Let’s take a closer look.

McAfee Discovers a Peloton Problem

Peloton bikes have been making waves for their advanced technology and digital user interfaces. Each exercise bike comes equipped with an Android tablet.

Yesterday, McAfee writers revealed that the company found a flaw in the Android Verified Boot (AVB) process that leaves Peloton owners vulnerable.

The report revealed that hackers could remotely access Peloton products and tap into the microphones and cameras. Hackers can also add apps that look like Spotify or Netflix but are just phishing disguises to get users to give away their login information.

McAfee made a video detailing the situation:

McAfee ATR Demonstrates Peloton Bike+ Bootloader Vulnerability

The report stated that bikes could be affected at any point, from construction to the warehouse to delivery.

McAfee notified Peloton of the vulnerability in March.

Peloton’s Head of Global Information Security, Adrian Stone, responded:

This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.

Peloton Has Problems Outside of Getting Hacked

This vulnerability is just the latest of a slew of bad news for Peloton. Its treadmill rollout did not go as planned. The company recalled some of its treadmills after receiving reports of over 70 injuries and the death of a 6-year-old. These objects and people were being pulled under the machines.

The company’s CEO John Foley pushed back against the federal government’s call for a recall. He later obliged.

Around the same time, a different security company discovered that hackers could access sensitive information from Peloton users, including:

  • User IDs
  • Instructor IDs
  • Group membership
  • Location
  • Workout stats
  • Gender and age
  • If they are in the studio or not
Peloton users get the bad news. | Source: Twitter

Despite these issues, the firm had an excellent pandemic where it increased revenue exponentially.

If you own a Peloton, be sure to freshen up your knowledge of cybersecurity hygiene and familiarize yourself with phishing attempts.

And if you think you’ve been hacked, don’t hesitate to reach out to us today.

Featured image by Maridav from Shutterstock.com


Related Posts

Aaron Weaver is the Head of Content for Hacked.com. He has over 15 years of journalism experience. As a tech-savvy editor and researcher, he prides himself on journalistic integrity by providing cutting edge data backed by the latest science.

[email protected]

Phone support: +1 334 625 9990
7AM-7PM CDT weekday, 8AM-3PM CDT Saturday
We are not able to answer all calls.
For a guaranteed response, please use email.

We have been recommended to clients by employees at FBI and local law enforcement in the United States. For references, please send us an email.


Read all of our reviews here.