Researchers on Tuesday found a flaw (CVE-2021-33887) in the Android Verified Boot (AVB) process for the Peloton Bike+, leaving the system vulnerable.
In a blog post, McAfee researchers said a worst-case scenario could happen when an attacker would boot the Peloton with a modified image to gain elevated privileges and then leverage those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely. The hacker could then tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet that comes with the bike without the end user knowing. An attacker could also walk up to a Peloton bike installed in a gym and perform an attack, gaining root access on these devices for later use.
The McAfee research was significant and of general interest because Peloton has been in the news for security issues. They had a tussle with the American Consumer Product Safety Commission this spring. And there were numerous stories when President Biden moved to the White House about the Secret Service locking down the incoming President’s exercise equipment because the Peloton tablets have built-in cameras and microphones.
While topical because of all the high-profile people who use Pelotons, Jack Mannino, CEO at nVisium, said the AVB issue isn’t unique to Peloton. Mannino said many Android device OEMs suffer from similar flaws shipped in production devices.
“Android provides capabilities for Verified Boot, however, bootloader security settings still need to be configured properly by the manufacturer,” Mannino said. “Otherwise, as was demonstrated, an attacker can gain complete control of the bootloader and device.”
Ted Driggs, head of product at ExtraHop Head of Product, added that the Peloton’s camera, microphone, and local network access make it a particularly attractive target for attackers.
“The bikes not only have the right elements to serve as a pivot point to access other devices connected to the home network and from there, enterprise resources, it can also be used to covertly listen in on virtual meetings and other sensitive business conversations that now take place from the home office.”
Setu Kulkarni, vice president, strategy at WhiteHat Security, said it’s easy to brush this research off by saying the scenario of bypassing the AVB can’t be done without physical access to the device. However, he said that’s a mistake because the steps taken by the researchers can be easily replicated in other operational environments where the base OS for a connected device is Android-based.
“What if this was on a connected device in a hospital?” posed Kulkarni. “The security researchers were able to confirm that there were many controls in place, but not all permutations were tested. A combination of luck, a handful of readily available tools, and verbose logging was enough to root a pretty locked down device.”