Peloton users could face a new problem: hackers.
Cyber security experts at McAfee discovered a security flaw on Peloton’s Bike+ that could leave riders vulnerable to internet hackers, the company announced Tuesday. The issue, according to McAfee, stemmed from a USB port that could allow fraudsters “backdoor access” to the bike’s operating system, as well as the 22-inch touchscreen.
Malware disguised as popular apps like Netflix and Spotify could also give hackers a peek at users’ personal information — or a real-time look at their workouts if the bike’s camera and microphone are compromised, experts said.
McAfee said Peloton bikes in public or shared spaces such as a gym were most at risk. More concerning, McAfee said the vulnerability made it possible for hackers to access the bike “during any point in the supply chain from construction to delivery” without the rider’s knowledge.
“Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information,” Steve Povolny, head of McAfee’s Advanced Threat Research Team, told NBC News.
Experts found the security threat earlier this month and alerted Peloton, teaming up with the exercise equipment company to develop a security patch to resolve the issue, according to McAfee’s website.
“Peloton also pushed a mandatory update to affected devices last week that addressed this vulnerability,” the exercise equipment company said in a statement to NBC News.
The news comes a month after the exercise equipment company recalled its treadmill after a 6 year-old was killed and more than 20 others injured by the machine, The Miami Herald previously reported. The company initially downplayed the U.S. Consumer Product Safety Commission’s warning about the Tread+, but later acknowledged it had made “a mistake” by not recalling it earlier.
Like the Bike+, experts say internet-connected devices including tablets, toys and refrigerators are vulnerable to being hacked.
To keep your information out of the hands of hackers, McAfee said it’s important to stay on top of product software updates, do your homework before investing in IoT, or “internet of things” devices, and consider identity protection software.
“The discovery serves as an important reminder to practice caution when using fitness IoT devices,” the firm said.