McAfee Reports Security Exploit in Peloton Bike+

Attackers could use the bike's USB port to install malware and steal information

McAfee has reported that a Peloton Bike+ security vulnerability with the Android attachment and USB drive could have allowed hackers to install malware in order to steal riders' information.

According to a post on McAfee's blog, the team reported this issue to Peloton a few months ago and the companies began working together to develop a patch. The patch has since been tested, confirmed to be effective on June 4, and began rolling out last week. Typically, security researchers wait until vulnerabilities have been patched until announcing the issue.

McAfee logo


The exploit made it possible for hackers to use their own software loaded via USB thumb drive to manipulate the Peloton Bike+ operating system. They would be able to steal information, set up remote internet access, install fake apps to trick riders into providing personal information, and more. Bypassing the encryption on the bike's communications was also a possibility, making other cloud services and accessed databases vulnerable.

A couple exercising with Peloton equipment


The biggest risk posed by this exploit was to public-facing Pelotons, such as in a shared gym, where hackers would have easier access. However, private users also were vulnerable, as malicious parties could have access to the system throughout the bike's construction and distribution. The new patch does fix this problem, but McAfee warns that Peloton Tread equipment—which it did not include in its research—still could be manipulated.

According to McAfee, the most important thing Peloton riders can do to protect their privacy and security is to keep their devices up to date. "Stay on top of software updates from your device manufacturer, especially since they will not always advertise their availability." They also recommend that users "turn on automatic software updates, so you do not have to update manually and always have the latest security patches. "

Was this page helpful?