Every time a new gadget comes out that seems "unhackable," the experts prove us wrong by taking advantage of it anyway. Recently, researchers unearthed a security flaw in Peloton smart bikes that could allow a hacker to spy on you while you cycle.
So why are cybercriminals attacking exercise bikes? And what can you do about it?
How Are Hackers Attacking Exercise Bikes?
McAfee sounded the alarm after its researchers located an exploit in Peloton exercise bikes. Fortunately, the researchers managed to bring it to Peloton's attention before the hackers did, but there's still a chance that some malicious agents found and used the exploit before then.
To perform the attack, the hacker would first make a USB stick with the Peloton boot file on it. They would then take it to the bicycle they want to hack and plug it in, modifying the boot file to allow them access. The bikes don't check for this kind of attack, so it would give the hacker admin rights to the machine.
With these rights, they can then tamper with the bike as they like. They can use this power to harvest the personal information of whoever uses the bike.
McAfee disclosed this flaw to Peloton, which then released a patch for its exercise bikes on June 4, 2021. However, it does mean that if you hopped on a bike in a gym on or before that date, there's a slim chance the bike you chose had been compromised.
What Kind of Data Was Stolen?
It may seem weird that a hacker would go after an exercise bike, but models these days come with a lot of fancy gadgets and features that can be turned against users to harvest their information.
Of course, the hacker isn't breaking into the bike so they can congratulate you on completing that marathon exercise routine. Instead, they're looking for information that they can personally use or sell on.
Creating Fake Peloton Apps
Smart bikes like Peloton's machines have apps on them for riders to use as they sweat it out. These apps includes popular online services like Netflix and Spotify.
Hackers can exploit this by uploading fake versions of the app onto the bike. These have the same look as the official app, but when the user enters their login details, they get sent back to the hacker.
But wait a minute; why on earth does a hacker want to get into your Netflix or Spotify account? After all, you can make a Spotify account for free, and Netflix isn't that expensive. Is a hacker really that desperate to get free movies that they'd hack an exercise bike?
It may surprise you, but these accounts can sell on the black market. Some people just don't want to pay the monthly fee for Netflix or Spotify Premium; they'd rather make a one-off payment to access someone else's account and make them foot the bill instead. It's just one of the many shocking online accounts sold on the dark web.
Plus, if you go against advise and use the same username and password on multiple accounts, more than just entertainment apps could be compromised.
Harvesting Personal Identifying Information
Things get a little scarier when you realize that Peloton bikes also have a microphone and camera installed on them. Hackers can use these to spy on whoever's using the machine.
Of course, the hacker needs an active connection to the bike in order to spy on its user in real-time. As such, they'll have to install a backdoor that gives them permission to access the bike's hardware without the user knowing.
Not only that, but McAfee notes that hackers can even decrypt the data sent by the Peloton to the servers. This means that the cybercriminal can harvest all the confidential information the bicycle is collecting to get a better idea of who's using it.
How to Protect Yourself From Bike Hackers
This all sounds very terrifying, but remember, Peloton patched this exploit back in June 2021. That means that you need to think back to if you used a Peloton machine in a public place before then.
Even if you used one after that date, there's a chance that your local gym has not downloaded the latest firmware for the bike yet, meaning the exploit is still present.
Let's check out some ways to protect your privacy when using exercise machines.
1. Opt for "Dumb" Bikes Over "Smart" Ones
If you hate the idea of a bike that spies on you and steals your account information, why not opt for a bike that can do neither? As flashy and magical as companies make internet-connected bikes out to be, hooking up a device to the world wide web always carries its fair share of threats.
As such, the best way to protect your digital privacy is to get or use an exercise bike with little to no technology at all. Of course, this means that cycling around your town is a good option. If you want to stick with an exercise machine, there are plenty that user either a simple digital display or none at all.
While it is possible that any exercise bike with a digital display can be cracked into, the goal here is to minimize the amount of information a hacker would get if they did breach the security. The less information the bike displays or uses, the less useful the data is to a hacker.
For example, a bike with webcams, microphones, and apps pose a huge privacy risk if it's breached. On the other hand, a bike that only tells you general statistics like distance traveled and your heart rate will give a hacker nothing of value.
This also applies for other home gadgets, too. For instance, did you know that hackers can compromise smart bulbs of all things? It goes to show that very few smart devices are "too small to hack"; if it has a weakness, a hacker can exploit it.
2. Keep Your Smart Bike's Firmware Updated
If you really can't bear to part with your beloved smart bike, then it's time to make sure its defenses are up. Always update your bike's firmware, as these update will contain patches that fix exploits and flaws in its security.
Even if nobody else uses or can reach your exercise bike, doing this will protect your device from remote attacks.
3. Don't Wholly Trust Technology Found in the Public
Remember the actual attack vector on the Peloton bikes? The hacker had to visit the exercise machine physically so it can plug in a USB stick.
As such, if you have a Peloton at home, it's extremely unlikely that a hacker managed to use this exploit on it. However, the bicycle machines found in the gym are a different story.
Always be weary of using a smart exercise bike in a public place. Try to avoid giving it any personal details, and if it has a webcam or microphone, perhaps find another machine.
This advice applies for pretty much every piece of public-facing technology out there. Even public Wi-Fi networks can be hotspots for criminal activity, preying on civilians who connect to it.
Staying Safe at the Gym
A recent vulnerability in Peloton bikes revealed how hackers could upload fake apps and track who was riding it. Always ensure your smart devices and exercise machines are updated. If push comes to shove, you can always opt for the "dumb" versions instead.
If you already have a full smart home set up, don't worry. As long as you study up on all its security risks and how to avoid them, you should be alright.