Watch CBS News

Hackers can spy on Peloton bike and treadmill users

Peloton recalls treadmill
Peloton recalls treadmill linked to injuries 02:34

Peloton says it has fixed a security flaw in the fitness equipment maker's stationary bike and treadmill products that potentially allowed hackers to spy on users and even control their exercise machines. 

Security software company McAfee identified the vulnerability, warning that someone with physical access to Peloton's Bike+ and Tread+ products could gain control of the devices through a USB port on the interactive tablet mounted on the machines that are used to stream live workouts.

Peloton acknowledged the weakness in a press release Thursday, explaining that an attacker could "modify the software on the device, and could then install malware or access data that is communicated between the device and our services."

Peloton issued a mandatory software update that protects users from being hacked, and urged its members to log into their tablets to download the patch.

"After updating, your device will be protected against the vulnerability that McAfee reported," Peloton said in the release. 

McAfee researchers kept the issue private until Peloton was able to roll out a fix, according to the equipment company. 

Specifically, hackers could insert a USB key containing malicious code into a Peloton machine and gain remote access without the user knowing. They could use this access to install malicious apps made to look like Netflix or Spotify in order to steal users' credentials, McAfee wrote in a blog post on its website. 

In addition, "They can enable the bike's camera and microphone to spy on the device and whoever is using it," according to the cybersecurity company.

Feds urge Peloton Tread+ users with pets, kids to stop use after 39 incidents and one death 01:04

An interactive map by a third-party website that shows where Peloton machines are located around the world also can be exploited by bad actors.

But it's the equipment's high-tech bells and whistles — the very features that make Peloton's $2,495 Bike+ and Tread+ attractive to customers — that pose the greatest security threats. The exercise devices also have a camera and microphone through which attackers can spy on the devices and users, or monitor the spaces they occupy.

Peloton also drew scrutiny earlier this year after a child died in an accident involving its Tread+ treadmill, spurring the company to issue a warning about its usage. Customers were also frustrated by months-long shipping delays during the pandemic, which fueled demand for at-home workout alternatives.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.