The McAfee Advanced Threat Research team (ATR) uncovered a flaw (CVE-2021-33887) in the Android Verified Boot (AVB) process that left the Peloton vulnerable. 

Peloton products, according to McAfee are equipped with a large tablet that interfaces with the components of the fitness machine, as well as provides a way to attend virtual workout classes over the internet. “Under the hood” of this glossy exterior, however, is a standard Android tablet. Recently, Peloton garnered attention regarding concerns surrounding the privacy and security of its products.

The ATR at McAfee said the problem stemmed from the Android Verified Boot process that accompanies the Peloton stationary exercise Bike+. McAfee said attackers could access the bike through the port and install fake versions of popular apps, which could then fool users into entering their personal information. The attack, however, would require physical access to the Peloton product.

McAfee ATR sent their vendor disclosure with full details on March 2, 2021 – shortly after, Peloton confirmed the issue and subsequently released a fix for it in software version “PTX14A-290”. Peloton’s Head of Global Information Security, Adrian Stone, shared the following, “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider, explains, "This issue isn’t unique to Peloton. Many Android device OEMs suffer from comparable flaws shipped in production devices. Android provides capabilities for Verified Boot, but bootloader security settings still need to be configured correctly by the manufacturer, or else, as was demonstrated, an attacker can gain complete control of the bootloader and device."

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, "It would be easy to brush this off by saying this scenario of bypassing the AVB is not likely without physical access to the device. But, doing that would be a mistake because the steps taken by the researchers can be easily replicated in other operational environments where the base OS for a connected device is Android-based."

Kulkarni adds, "The security researchers were able to confirm that there were many controls in place, however, not all permutations were tested. A combination of luck, a handful of readily available tools, and verbose logging was enough to root a pretty locked down device."

For more details, and a demonstration of how McAfee was able to bypass the Android Verified Boot process and compromise the Android OS, please visit https://www.mcafee.com/blogs/other-blogs/mcafee-labs/a-new-program-for-your-peloton-whether-you-like-it-or-not/