What if we told you that a cyber hacker can access your clients’ personal information from gaining unauthorized access to various fitness equipment in your gym? Recently, in a cyber security incident, several vulnerabilities were identified with Peloton fitness equipment that could allow attackers to obtain device information or deploy malware. Check Point, a cyber security firm, stated in their reports that the Peloton Treadmill, connected to the internet, revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device.
The device was also found to have USB debugging enabled. This means that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely. Cybercriminals could exploit vulnerabilities on apps and make lateral movements.
It doesn’t end there. By accessing a singular device, a cyber hacker could gain unauthorized access to several other fitness equipment within the network and tamper with its settings. What’s a bigger concern is that once cyber attackers gain access to the pre-shared keys of these devices, they could potentially tamper with every other device sharing the same keys.
With this kind of access, data infiltration is a huge concern, but there’s more. With such information and unauthorized access to the device, hackers can get into your ICS infrastructure and breakthrough firewalls. Another thing to note is that the device had webcams and microphones attached to it which makes it vulnerable to eavesdropping attacks if a malware is installed.
The cybersecurity firm demonstrated the potential dangers of sideloading a mobile remote access tool (MRAT) onto a device, which granted them complete control over a treadmill’s functionality. This included capabilities such as recording audio, taking photos, accessing geolocation data, and manipulating the network stack. The compromised treadmill not only allowed full access to the device itself but also provided entry into the local area network, creating opportunities for further malicious activities.
Check Point highlighted that through social engineering, an attacker could infiltrate a high-profile individual’s treadmill, whether at their home or office, and install a backdoor. This would grant the attacker access to the network.
With such access, attackers can perform lateral movement within the network, steal personally identifiable information, launch ransomware attacks, obtain corporate credentials, or execute denial-of-service attacks. Essentially, remote control over the treadmill gives the attacker a substantial advantage, enabling them to expand their attack surface.
Attackers can exploit the security vulnerabilities of devices to gain unauthorized access to the gym's network. In a gym setting, this access can allow cyber attackers to collect sensitive information from gym members, including personal health records, financial details, and personal identification information.
With control over devices, attackers can record audio and video, potentially capturing private conversations or compromising photos. Attackers can also use the compromised device to manipulate network traffic, intercept communications, or disrupt the normal functioning of other connected devices.
In gyms affiliated with corporate offices or frequented by business professionals, attackers can exploit compromised devices to access corporate networks, leading to potential data breaches.
A compromised device can lead to severe privacy violations, financial losses, and operational disruptions. Therefore, securing devices in gyms is crucial to preventing these kinds of cyber threats.
Source: https://www.securityweek.com/multiple-security-issues-identified-in-peloton-workout-equipment/