According to a post on McAfee’s blog, the team reported this issue to Peloton a few months ago and the companies began working together to develop a patch. The patch has since been tested, confirmed to be effective on June 4, and began rolling out last week. Typically, security researchers wait until vulnerabilities have been patched until announcing the issue. The exploit made it possible for hackers to use their own software loaded via USB thumb drive to manipulate the Peloton Bike+ operating system. They would be able to steal information, set up remote internet access, install fake apps to trick riders into providing personal information, and more. Bypassing the encryption on the bike’s communications was also a possibility, making other cloud services and accessed databases vulnerable. The biggest risk posed by this exploit was to public-facing Pelotons, such as in a shared gym, where hackers would have easier access. However, private users also were vulnerable, as malicious parties could have access to the system throughout the bike’s construction and distribution. The new patch does fix this problem, but McAfee warns that Peloton Tread equipment—which it did not include in its research—still could be manipulated. According to McAfee, the most important thing Peloton riders can do to protect their privacy and security is to keep their devices up to date. “Stay on top of software updates from your device manufacturer, especially since they will not always advertise their availability.” They also recommend that users “turn on automatic software updates, so you do not have to update manually and always have the latest security patches. "
