Peloton Bike+ could be vulnerable to hackers: report

Security risk more likely in shared spaces, McAfee report said

Peloton users could be at risk for hackers.

The connected fitness company’s Bike+ may be potentially vulnerable to hackers who could access the tablet, including its camera, microphone and personal data, cybersecurity company McAfee said in a report released Wednesday. 

Peloton Bike+ poses potential data hack risks, according to a new report by McAfee Advanced Threat Research team. (Peloton)

The security risk is apparently more likely to happen on Bike+ machines in shared public spaces like gyms, communal buildings or hotels because hackers need to insert a USB key containing malicious code that will give them remote access.

This would enable the hacker to control the spin bike remotely and install fake apps disguised to look like Netflix or Spotify to capture user’s private log-in information and even enable the bike’s camera and microphone to spy on whoever is using it, according to the McAfee Advanced Threat Research team. 

Peloton did not immediately return a FOX Business request for comment. 


McAfee said in the report that connected fitness devices like the Peloton Bike+ are just like any other mobile phone or laptop that can connect to the internet. 

"As a result, they are susceptible to the same kind of vulnerabilities, and their security should be approached with a similar level of scrutiny," the McAfee report said. 


McAfee said the security vulnerability is also present on Peloton Tread, the company’s recently recalled treadmill, though the scope of its research was solely based on its Bike+. The McAfee ATR team suggests users update software from devices often to prevent potential risks. 

"We can confirm that we worked with the team at McAfee to address an issue they submitted via our Coordinated Vulnerability Disclosure program, a program that most tech companies have in place to be able to work with the external security community," a Peloton spokesperson told FOX Business in an email. "Peloton fixed the issue within the standard disclosure timeframe and every device with the update installed is protected from this issue," they added. 

Peloton also said its Bike+ and Tread are currently not offered for commercial use and "the vulnerability McAfee reported would require direct, physical access to a Peloton Bike+ or Tread to exploit the issue." 

Peloton last month recalled its Tread+ and Tread treadmills after dozens of user injuries and one child death after the Consumer Product Safety Commission urged consumers to stop using the equipment in a warning issued on April 17. 

This story was updated on June, 17 to include a statement from Peloton