Peloton, a well-known fitness machines manufacturer said that they have fixed the bug in software version “PTX14A-290” and no longer allow using boot command on their systems after McAfee reported to Peloton about the vulnerability.
The now fixed security vulnerability in the Peloton Bike machine could have allowed a threat actor to gain complete control over the device. The threat actor could have exploited the vulnerability to obtain access to the video camera and microphone.
McAfee released a new report which explains how the researchers bought a Peloton Bike+ to explore the underlying Android OS and see whether they could look for a way to compromise the device.
McAfee security researchers Sam Quinn and Mark Bereza explained that the android tablet beneath the hood of the glossy exterior makes the exercise machine look hi-tech.
The researchers at McAfee additionally said that Peloton recently received quite a lot of attention regarding the privacy and security of its products. This encouraged them to take a close look at Peloton Bike + and hence they purchased it.
Android lets devices boot a modified or custom image using ‘fastboot boot‘, a command that loads a new boot image without even the need to flash the device and enable the device to return to its default boot software on reboot.
The newer version of Android versions permits developers to set the device in a locked state to avoid a device from loading modified boot images (avoid hard bricking devices).
Below we have given the image that will give an idea of how the ‘fastboot oem device-info‘ shows that the device is not unlocked.
Though Peloton accurately set the device to a locked state, McAfee researchers discovered that they still load a modified image as the bug was restricting the system from verifying whether the device was unlocked or not.
Though the test image failed because it didn’t consist of accurate display and hardware drivers to operate the Peloton, it displayed that the modified code could be operated on the device.
Then the researchers acquired a valid Peloton boot image from the system’s device’s OTA (over-the-air) updates. Then the researchers modified the valid boot image to include the ‘su’ command to elevate privileges on the device.
By having physical access to the device, the researchers loaded a modified Peloton boot.img into the Peloton Bike+, they were able to obtain root access on the device utilizing the ‘su‘ command, as shown by the image below.
Looking for more Security News, subscribe to our newsletter and get regular updates on cybersecurity.
