fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Peloton Bike+ Vulnerability Allowed Complete Takeover of Devices

Peloton Bike+ Vulnerability Allowed Complete Takeover of Devices

A vulnerability in the Peloton Bike+fitness machine has been fixed that could have allowed a threat actor to gain complete control over the device, including its video camera and microphone.

Peloton is the manufacturer of immensely popular fitness machines, including the Peloton Bike, Peloton Bike+, and the Peloton Tread.

In a new report released by McAfee, researchers explain how they purchased a Peloton Bike+ to poke at the underlying Android operating system and see if they could find a way to compromise the device.

“Under the hood of this glossy exterior, however, is a standard Android tablet, and this hi-tech approach to exercise equipment has not gone unnoticed,” explains McAfee security researchers Sam Quinn and Mark Bereza.

“Viral marketing mishaps aside, Peloton has garnered attention recently regarding concerns surrounding the privacy and security of its products. So, we decided to take a look for ourselves and purchased a Pelton Bike+.”

Android allows devices to boot a modified image using a special command called ‘fastboot boot,’ which loads a new boot image without flashing the device and enable the device to revert to its default boot software on reboot.

Newer Android versions allow developers to place the device in a locked state to prevent a device from loading modified boot images. As you can see below, the ‘fastboot oem device-info‘ shows that the device is not unlocked.

Also Read: This Educator Aims to Make Good Cyber Hygiene a Household Practice

Fastboot command showing the Peloton in a locked state

While Peloton correctly set the device to a locked state, McAfee researchers discovered that they could still load a modified image as a bug was preventing the system from not verifying if the device was unlocked.

While their test boot image failed as it did not contain the correct display and hardware drivers to operate the Peloton, it showed that modified code could be run on the device.

The researchers then acquired a valid Peloton boot image from the device’s OTA (over-the-air) updates. They then modified the legitimate boot image to include the ‘su’ command to elevate privileges on the device.

With physical access to the device, the researchers loaded a modified Peloton boot.img into the Peloton Bike+, they were able to achieve root access on the device using the ‘su‘ command, as shown by the image below.

Gaining root access via the modified boot image

While the Peloton Bike+ continued to operate and look just like usual, the researchers now had elevated access and could run any Android application they wanted on the device.

McAfee said they reported the vulnerability to Peloton, who fixed the bug in software version “PTX14A-290” to no longer allows the use of the ‘boot’ command on their systems.

It’s a Peloton! So what?

You may be wondering what the big deal is about a vulnerability in a Peloton as it is not a device where sensitive data is stored or where you log in to your bank and email accounts.

Hotels, cruise ships, gyms, and vacation rentals are more commonly starting to offer Peloton bikes and treadmills for their guests to use while visiting.

If a threat actor can compromise one of these devices, they could potentially install malware that harvests the accounts of people who use the devices.

Also Read: The 5 Phases of Penetration Testing You Should Know

The threat actors can then use those accounts to try and compromise other sites with the same credentials.

It is also important to remember that Pelotons are considered infrastructure by houses and commercial locations and may sit on the internal network rather than a more walled-off guest network.

A compromised Peloton would not show any outward signs of tampering but, once hacked by a threat actor, could be used to provide remote access to the network without anyone being the wiser.

Finally, and a bit more concerning, once threat actors gain elevated privileges on the device, they can remotely turn on a camera or microphone.

While it is improbable that Peloton devices would be compromised using this vulnerability and physical access was required, the video below illustrates how McAfee was able to easily load the modified boot image on a Peloton Bike+.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us