McAfee finds security vulnerabilities in Peloton products.
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Peloton has established itself as a market leader in home fitness with a large, loyal customer base. I count myself among those loyal followers. Peloton has built a great product, but it seems that they, like so many others, have not focused on cybersecurity. Twice recently, Peloton has found its name in headlines over security vulnerabilities in its product. Peloton Bike and Tread products support API calls to their cloud services to enable real-time data sharing. I can view my performance during a class or ride with others in the same class. Security researchers found that these API calls are completely unauthenticated, allowing anyone access to personal data. Improvements have been made to these APIs, but loopholes remain. More recently, flaws in the secure boot implementation were discovered by researchers. These flaws allow hackers to install new applications or modify the firmware running on the Bike+ products.</p> <p> </p> <p>This has been a consistent trend in the IoT space — invest in products first and worry about security later. Peloton is, in many ways, fortunate that security researchers discovered and reported this problem first. Malicious hackers could have caused a large-scale data breach or potentially launched a damaging cyberattack against the company. But it is time to reverse this trend. Companies must begin investing in security for IoT devices early in the design phase and not wait until it becomes a problem. The Peloton system was equipped with secure boot capability, but it was not properly implemented allowing security researchers to bypass these protections. The API implementation, however, lacked basic authentication mechanisms. That’s why including comprehensive, multi-layered security measures is critical in the early stages of product development. As the Peloton secure boot vulnerability shows, that alone is not enough. Validating the security implementation using penetration testing services is a crucial step that needs to be taken early on. OEMs can build devices that are difficult to hack, and many OEMs are far overdue in making that investment and doing it early.</p>