Peloton bike users could be spied on while working out, according to new research by McAfee's Advanced Threat Research team.
The team discovered a vulnerability (CVE-2021-3387) in the touchscreen of the $2,495 Bike+ that allows it to be controlled remotely by a threat actor without any interference to the equipment's operating system.
Hackers could exploit the flaw to install malicious apps that spoof Netflix or Spotify to steal personal details and login credentials.
Researchers also found that the vulnerability allowed bad actors to access the Peloton bike's microphone and camera to spy on users.
McAfee said that bikes used in hotels and other public spaces were most at risk because hackers had to physically access the screen and infect it with malicious code stored on a USB drive to exploit the flaw.
The lower-priced Peloton Bike is not affected by the flaw as the fitness device uses a different type of touchscreen.
But researchers noted: "Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment, however, the scope of our research was confined to the Bike+."
The flaw was detected in the Peloton bike's software. After McAfee shared the discovery with Peloton, the two companies joined forces to "responsibly develop and issue a patch."
A mandatory software update that fixes the issue was released to users by Peloton earlier this month.
Adrian Stone, Peloton’s Head of Global Information Security, said: “This vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important.
"To keep our members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”
McAfee's report is the second security issue to hit Peloton in the past two months. In May, the company released an update to stop the leakage of personal account information, including the age, weight and location of its users.