BACKGROUND:

McAfee finds security vulnerabilities in Peloton products.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Alan Grau
Alan Grau , VP of IoT
InfoSec Expert
July 1, 2021 1:09 pm

<p>Peloton has established itself as a market leader in home fitness with a large, loyal customer base. I count myself among those loyal followers. Peloton has built a great product, but it seems that they, like so many others, have not focused on cybersecurity. Twice recently, Peloton has found its name in headlines over security vulnerabilities in its product. Peloton Bike and Tread products support API calls to their cloud services to enable real-time data sharing. I can view my performance during a class or ride with others in the same class. Security researchers found that these API calls are completely unauthenticated, allowing anyone access to personal data. Improvements have been made to these APIs, but loopholes remain. More recently, flaws in the secure boot implementation were discovered by researchers. These flaws allow hackers to install new applications or modify the firmware running on the Bike+ products.</p> <p>&nbsp;</p> <p>This has been a consistent trend in the IoT space — invest in products first and worry about security later. Peloton is, in many ways, fortunate that security researchers discovered and reported this problem first. Malicious hackers could have caused a large-scale data breach or potentially launched a damaging cyberattack against the company. But it is time to reverse this trend. Companies must begin investing in security for IoT devices early in the design phase and not wait until it becomes a problem. The Peloton system was equipped with secure boot capability, but it was not properly implemented allowing security researchers to bypass these protections. The API implementation, however, lacked basic authentication mechanisms. That’s why including comprehensive, multi-layered security measures is critical in the early stages of product development. As the Peloton secure boot vulnerability shows, that alone is not enough. Validating the security implementation using penetration testing services is a crucial step that needs to be taken early on. OEMs can build devices that are difficult to hack, and many OEMs are far overdue in making that investment and doing it early.</p>

Last edited 1 year ago by Alan Grau
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x