{"id":122833,"date":"2021-06-15T21:01:52","date_gmt":"2021-06-16T04:01:52","guid":{"rendered":"\/blogs\/?p=122833"},"modified":"2024-07-05T05:55:05","modified_gmt":"2024-07-05T12:55:05","slug":"a-new-program-for-your-peloton-whether-you-like-it-or-not","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/","title":{"rendered":"A New Program for Your Peloton \u2013  Whether You Like It or Not"},"content":{"rendered":"<h2 aria-level=\"2\"><span data-contrast=\"none\">Executive Summary<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The McAfee<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Advanced Threat Research team\u00a0<\/span><span data-contrast=\"auto\">(ATR)\u00a0<\/span><span data-contrast=\"auto\">is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0As<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">security researchers<\/span><span data-contrast=\"auto\">, s<\/span><span data-contrast=\"auto\">omething that we always try to establish before looking at a target is what our scope<\/span><span data-contrast=\"auto\">\u00a0should<\/span><span data-contrast=\"auto\">\u00a0be. More specifically, we often assume well-vetted technologies like\u00a0<\/span><span data-contrast=\"auto\">network<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">stack<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0or the OS layer<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0are sound and instead focus our attention on the application layers or software<\/span><span data-contrast=\"auto\">\u00a0that is<\/span><span data-contrast=\"auto\">\u00a0specific to\u00a0<\/span><span data-contrast=\"auto\">a<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">target.\u00a0<\/span><span data-contrast=\"auto\">Whether that approach is comprehensive sometimes doesn\u2019t matter;\u00a0<\/span><span data-contrast=\"auto\">and it\u2019s\u00a0<\/span><span data-contrast=\"auto\">what we decided to do for this project as well<\/span><span data-contrast=\"auto\">, bypassing the<\/span><span data-contrast=\"auto\">\u00a0Android OS\u00a0<\/span><span data-contrast=\"auto\">itself<\/span><span data-contrast=\"auto\">\u00a0and\u00a0<\/span><span data-contrast=\"auto\">with a\u00a0<\/span><span data-contrast=\"auto\">focus on the Peloton\u00a0<\/span><span data-contrast=\"auto\">code and implementations<\/span><span data-contrast=\"auto\">. During\u00a0<\/span><span data-contrast=\"auto\">our research<\/span><span data-contrast=\"auto\">\u00a0process, we<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">uncovered<\/span><span data-contrast=\"auto\"> a flaw (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-33887\">CVE-2021-33887<\/a>) in the Android Verified Boot (AVB) process<\/span><span data-contrast=\"auto\">, which was initially out of\u00a0<\/span><span data-contrast=\"auto\">scope, that<\/span><span data-contrast=\"auto\">\u00a0left the Peloton vulnerable.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p>For those that are not familiar with Peloton,\u00a0it is\u00a0a\u00a0brand\u00a0that\u00a0has\u00a0combined high end\u00a0exercise equipment with\u00a0cutting-edge\u00a0technology.\u00a0Its\u00a0products\u00a0are equipped with a large tablet that\u00a0interfaces\u00a0with the\u00a0components of the fitness machine,\u00a0as well as\u00a0provides\u00a0a way to attend virtual workout classes over the internet.\u00a0\u201cUnder the hood\u201d\u00a0of this glossy exterior, however,\u00a0is a standard Android tablet, and this hi-tech\u00a0approach to exercise equipment has not\u00a0gone unnoticed.\u00a0Viral marketing mishaps aside, Peloton has garnered attention recently regarding concerns surrounding the privacy and security of\u00a0its\u00a0products.\u00a0So,\u00a0we decided to\u00a0take a look\u00a0for ourselves\u00a0and purchased a Pelton Bike+.<\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Attempting to Backup<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">One of the first things that we usually try do when starting a new project, especially when<\/span><span data-contrast=\"auto\">\u00a0said projects involve<\/span><span data-contrast=\"auto\">\u00a0large expenses<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">like the Peloton, is to try to find a way to take a backup or\u00a0<\/span><span data-contrast=\"auto\">a\u00a0<\/span><span data-contrast=\"auto\">system dump that could be used if a recovery is ever needed. Not\u00a0<\/span><span data-contrast=\"auto\">all<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">of<\/span><span data-contrast=\"auto\">\u00a0our\u00a0<\/span><span data-contrast=\"auto\">research techniques<\/span><span data-contrast=\"auto\">\u00a0keep the device in a pristine state\u00a0<\/span><span data-contrast=\"auto\">(we\u2019d be poor hackers if they did)<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">and having the ability to restore\u00a0<\/span><span data-contrast=\"auto\">the device\u00a0<\/span><span data-contrast=\"auto\">to\u00a0<\/span><span data-contrast=\"auto\">its\u00a0<\/span><span data-contrast=\"auto\">factory setting<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0is a safety net that we try to implement\u00a0<\/span><span data-contrast=\"auto\">o<\/span><span data-contrast=\"auto\">n our\u00a0<\/span><span data-contrast=\"auto\">targets<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Because we are working with a normal Android device with only the Peloton customizations running\u00a0<\/span><span data-contrast=\"auto\">at the application layer<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0many of the processes\u00a0<\/span><span data-contrast=\"auto\">used<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">to back<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">up\u00a0<\/span><span data-contrast=\"auto\">an Android phone\u00a0<\/span><span data-contrast=\"auto\">would also work with<\/span><span data-contrast=\"auto\">\u00a0the Peloto<\/span><span data-contrast=\"auto\">n<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0It is common in the\u00a0<\/span><span data-contrast=\"none\">Android custom ROM scene<\/span><span data-contrast=\"auto\">\u00a0to use a\u00a0<\/span><a href=\"https:\/\/techsphinx.com\/smartphones\/best-custom-recovery-for-android-devices-2020\/#what-is-android-custom-recovery\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">custom recovery<\/span><\/a><span data-contrast=\"auto\">\u00a0image that allows the u<\/span><span data-contrast=\"auto\">ser to\u00a0<\/span><span data-contrast=\"auto\">take full flash dumps of each critical\u00a0<\/span><span data-contrast=\"auto\">partition\u00a0<\/span><span data-contrast=\"auto\">and<\/span><span data-contrast=\"auto\">\u00a0prov<\/span><span data-contrast=\"auto\">ide<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0a method to\u00a0<\/span><span data-contrast=\"auto\">restore them later.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">In such communities,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">it often\u00a0<\/span><span data-contrast=\"auto\">also\u00a0<\/span><span data-contrast=\"auto\">goes<\/span><span data-contrast=\"auto\">\u00a0without saying that\u00a0<\/span><span data-contrast=\"auto\">the device must\u00a0<\/span><span data-contrast=\"auto\">first\u00a0<\/span><span data-contrast=\"auto\">be<\/span><span data-contrast=\"auto\">\u00a0<\/span><a href=\"https:\/\/www.howtogeek.com\/239798\/how-to-unlock-your-android-phones-bootloader-the-official-way\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">unlocked<\/span><\/a><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">in order to perform any of these steps.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">While the Android OS allows users to flash these critical partitions<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0there are restrictions in place that\u00a0<\/span><span data-contrast=\"auto\">typically<\/span><span data-contrast=\"auto\">\u00a0prevent an attacker from gaining access to the \u201ccurrently\u201d running system.<\/span><span data-contrast=\"auto\">\u00a0If an attacker was able to get their hands on an Android device\u00a0<\/span><span data-contrast=\"auto\">with the<\/span><span data-contrast=\"auto\">\u00a0goal of\u00a0<\/span><span data-contrast=\"auto\">installing a\u00a0<\/span><span data-contrast=\"auto\">rootkit<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0they would have to jump through some hoops.<\/span><span data-contrast=\"auto\">\u00a0The first step that an attacker would need to\u00a0<\/span><span data-contrast=\"auto\">take<\/span><span data-contrast=\"auto\">\u00a0is\u00a0<\/span><span data-contrast=\"auto\">to\u00a0<\/span><span data-contrast=\"auto\">enable<\/span><span data-contrast=\"auto\">\u00a0\u201c<\/span><span data-contrast=\"auto\">Original Equipment Manufacturer<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">(OEM<\/span><span data-contrast=\"auto\">)<\/span><span data-contrast=\"auto\">\u00a0Unlocking\u201d, which is a user mode setting within the \u201cdeveloper options\u201d menu. Even with physical access to the bootloader, an attacker would not be able to \u201cunlock\u201d the Android device unless this setting is checked. This option is usually secured behind the user\u2019s password,\u00a0<\/span><span data-contrast=\"auto\">PIN<\/span><span data-contrast=\"auto\">, or biometric phone lock, preventing an attacker from accessing it easily.\u00a0<\/span><span data-contrast=\"auto\">The second security measure in place is that even with the \u201cOEM Unlocking\u201d setting on, issuing commands to the bootloader to perform the unlock\u00a0<\/span><span data-contrast=\"auto\">first\u00a0<\/span><span data-contrast=\"auto\">cause<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0all data on\u00a0<\/span><span data-contrast=\"auto\">the<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Android device, including applications, files, passwords, etc., to be wiped.<\/span><span data-contrast=\"auto\">\u00a0This way<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">even\u00a0<\/span><span data-contrast=\"auto\">if an attacker did gain access to\u00a0<\/span><span data-contrast=\"auto\">the<\/span><span data-contrast=\"auto\">\u00a0Android device of an unsuspecting victim, they wouldn\u2019t be able to install a rootkit or modify the existing kernel without deleting all the data<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0which\u00a0<\/span><span data-contrast=\"auto\">both prevents personal data from falling into the attacker\u2019s hand<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0and makes it obvious the device has been tampered with.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">For this research effort<\/span><span data-contrast=\"auto\">, w<\/span><span data-contrast=\"auto\">e\u00a0<\/span><span data-contrast=\"auto\">resisted the urge<\/span><span data-contrast=\"auto\">\u00a0to unlock the\u00a0<\/span><span data-contrast=\"auto\">Peloton<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">as\u00a0<\/span><span data-contrast=\"auto\">there\u00a0<\/span><span data-contrast=\"auto\">are<\/span><span data-contrast=\"auto\">\u00a0ways\u00a0<\/span><span data-contrast=\"auto\">for apps\u00a0<\/span><span data-contrast=\"auto\">to query the unlock status\u00a0<\/span><span data-contrast=\"auto\">of a device\u00a0<\/span><span data-contrast=\"auto\">within Android<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0and we\u00a0<\/span><span data-contrast=\"auto\">wanted to ensure that any vulnerabilities we found weren\u2019t the result of the device behaving differently due to it being unlocked<\/span><span data-contrast=\"auto\">. Th<\/span><span data-contrast=\"auto\">ese discrepancies\u00a0<\/span><span data-contrast=\"auto\">that\u00a0<\/span><span data-contrast=\"auto\">arise from our research are<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">usually\u00a0<\/span><span data-contrast=\"auto\">identified\u00a0<\/span><span data-contrast=\"auto\">by having two<\/span><span data-contrast=\"auto\">\u00a0target<\/span><span data-contrast=\"auto\">\u00a0devices<\/span><span data-contrast=\"auto\">:<\/span><span data-contrast=\"auto\">\u00a0one\u00a0<\/span><span data-contrast=\"auto\">to serve as<\/span><span data-contrast=\"auto\">\u00a0the control and the other\u00a0<\/span><span data-contrast=\"auto\">to serve as<\/span><span data-contrast=\"auto\">\u00a0the test device<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Unfortunately,<\/span><span data-contrast=\"auto\">\u00a0we only had one Peloton<\/span><span data-contrast=\"auto\">\u00a0to play with<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Another issue\u00a0<\/span><span data-contrast=\"auto\">wa<\/span><span data-contrast=\"auto\">s that\u00a0<\/span><span data-contrast=\"auto\">the Peloton hardware is not very common and the developers of the<\/span><span data-contrast=\"auto\">\u00a0aforementioned<\/span><span data-contrast=\"auto\">\u00a0custom recovery images, like\u00a0<\/span><span data-contrast=\"auto\">Team Win Recovery Project (<\/span><a href=\"https:\/\/twrp.me\/Devices\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">TWRP<\/span><\/a><span data-contrast=\"none\">)<\/span><span data-contrast=\"auto\">, don\u2019t create images for every device,\u00a0 just the\u00a0<\/span><span data-contrast=\"auto\">most\u00a0<\/span><span data-contrast=\"auto\">common ones.\u00a0<\/span><span data-contrast=\"auto\">So,<\/span><span data-contrast=\"auto\">\u00a0the easy method of taking a backup would not only require unlocking the device but also trying to create our own\u00a0<\/span><span data-contrast=\"auto\">custom\u00a0<\/span><span data-contrast=\"auto\">recovery<\/span><span data-contrast=\"auto\">\u00a0image<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This left us as at a\u00a0<\/span><span data-contrast=\"auto\">crossroad<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">W<\/span><span data-contrast=\"auto\">e could unlock the bootloader and root the device<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">granting us<\/span><span data-contrast=\"auto\">\u00a0access to the\u00a0<\/span><span data-contrast=\"auto\">flash\u00a0<\/span><span data-contrast=\"auto\">memory\u00a0<\/span><span data-contrast=\"auto\">block devices<\/span><span data-contrast=\"auto\">\u00a0(raw\u00a0<\/span><span data-contrast=\"auto\">interfaces to the flash partitions)<\/span><span data-contrast=\"auto\">\u00a0internally<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">which would allow us<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">to create and restore backups<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">as needed<\/span><span data-contrast=\"auto\">. However,\u00a0<\/span><span data-contrast=\"auto\">as mentioned before, this would leave the bike in a recognizably \u201ctampered\u201d state.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Alternatively,<\/span><span data-contrast=\"auto\">\u00a0we could try to\u00a0<\/span><span data-contrast=\"auto\">capture one of<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">the\u00a0<\/span><span data-contrast=\"auto\">b<\/span><span data-contrast=\"auto\">ike\u2019s<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Over-The-Air (<\/span><span data-contrast=\"auto\">OTA<\/span><span data-contrast=\"auto\">)<\/span><span data-contrast=\"auto\">\u00a0updates<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">to use as\u00a0<\/span><span data-contrast=\"auto\">a\u00a0<\/span><span data-contrast=\"auto\">backup,<\/span><span data-contrast=\"auto\">\u00a0but\u00a0<\/span><span data-contrast=\"auto\">we<\/span><span data-contrast=\"auto\">\u00a0would still need to \u201cunlock\u201d the device to\u00a0<\/span><span data-contrast=\"auto\">actually flash<\/span><span data-contrast=\"auto\">\u00a0the OTA\u00a0<\/span><span data-contrast=\"auto\">image\u00a0<\/span><span data-contrast=\"auto\">manually<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Both<\/span><span data-contrast=\"auto\">\u00a0options were less than ideal so we kept\u00a0<\/span><span data-contrast=\"auto\">looking for other solutions.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2>Android Verified Boot <span data-contrast=\"none\">P<\/span><span data-contrast=\"none\">rocess<\/span><\/h2>\n<p><span data-contrast=\"auto\">Just as Secure Boot provides a security mechanism for properly booting the OS on Windows PCs, Android has implemented measures to control the boot process, called Android Verified Boot (AVB).\u00a0<\/span><a href=\"https:\/\/source.android.com\/security\/verifiedboot\/verified-boot\"><span data-contrast=\"none\">According to Android\u2019s documentation<\/span><\/a><span data-contrast=\"auto\">, AVB<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">\u201c<\/span><span data-contrast=\"auto\">requires cryptographically verifying all executable code and data that is part of the Android version being booted before it is used. This includes the kernel (loaded from the boot partition), the device tree (loaded from the\u00a0<\/span><span data-contrast=\"auto\">dtbo<\/span><span data-contrast=\"auto\">\u00a0partition), system partition, vendor partition, and so on.<\/span><span data-contrast=\"auto\">\u201d<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The Peloton Bike+ ships with the default settings of \u201cVerity Mode\u201d set to true<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">as well as<\/span><span data-contrast=\"auto\">\u00a0\u201cDevice Unlocked\u201d and \u201cDevice Critical Unlocked\u201d set to false<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">which\u00a0<\/span><span data-contrast=\"auto\">is<\/span><span data-contrast=\"auto\">\u00a0intended to prevent\u00a0<\/span><span data-contrast=\"auto\">the loading of<\/span><span data-contrast=\"auto\">\u00a0modified boot images<\/span><span data-contrast=\"auto\">\u00a0and provide a way to determine if the device has been tampered with<\/span><span data-contrast=\"auto\">. This\u00a0<\/span><span data-contrast=\"auto\">information\u00a0<\/span><span data-contrast=\"auto\">was<\/span><span data-contrast=\"auto\">\u00a0verified by running\u00a0<\/span><span data-contrast=\"auto\"><code>fastboot<\/code><\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\"><code>oem<\/code><\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\"><code>device-info<\/code><\/span><span data-contrast=\"auto\">\u00a0on the Peloton<\/span><span data-contrast=\"auto\">, as demonstrated in\u00a0<\/span><span data-contrast=\"auto\">Figure\u00a0<\/span><span data-contrast=\"auto\">1<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To clarify<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0a<\/span><span data-contrast=\"auto\">\u00a0simplified Android boot process can be\u00a0<\/span><span data-contrast=\"auto\">visualized\u00a0<\/span><span data-contrast=\"auto\">as follows:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">If\u00a0<\/span><span data-contrast=\"auto\">modified code\u00a0<\/span><span data-contrast=\"auto\">is found\u00a0<\/span><span data-contrast=\"auto\">at any of the\u00a0<\/span><span data-contrast=\"auto\">stages in\u00a0<\/span><span data-contrast=\"auto\">Figure\u00a0<\/span><span data-contrast=\"auto\">2<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0the boot process should abort<\/span><span data-contrast=\"auto\">\u00a0or<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0if the device is\u00a0<\/span><span data-contrast=\"auto\">unlocked<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">warn the user that the images are not verified and give the option to the user to abort the boot.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Given<\/span><span data-contrast=\"auto\">\u00a0that we\u00a0<\/span><span data-contrast=\"auto\">defined our scope<\/span><span data-contrast=\"auto\">\u00a0of this project<\/span><span data-contrast=\"auto\">\u00a0to not include the Android boot process as a part of our research\u00a0<\/span><span data-contrast=\"auto\">and verifying that\u00a0<\/span><span data-contrast=\"auto\">Peloton has\u00a0<\/span><span data-contrast=\"auto\">attempted\u00a0<\/span><span data-contrast=\"auto\">to use the security\u00a0<\/span><span data-contrast=\"auto\">measures<\/span><span data-contrast=\"auto\">\u00a0provided by Android<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">we<\/span><span data-contrast=\"auto\">\u00a0again found ourselves debating\u00a0<\/span><span data-contrast=\"auto\">if a backup would be possible.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In<\/span><span data-contrast=\"auto\">\u00a0newer\u00a0<\/span><span data-contrast=\"auto\">Android\u00a0<\/span><span data-contrast=\"auto\">releases<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0including the Peloton,<\/span><span data-contrast=\"auto\">\u00a0the<\/span><span data-contrast=\"auto\">\u00a0update method\u00a0<\/span><span data-contrast=\"auto\">uses Android\u2019s<\/span><span data-contrast=\"auto\">\u00a0<\/span><a href=\"https:\/\/source.android.com\/devices\/tech\/ota\/ab\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">Seamless System Updates (A\/B)<\/span><\/a><span data-contrast=\"auto\">. This update method<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">no longer need<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0the \u201crecovery\u201d partition<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">forcing<\/span><span data-contrast=\"auto\">\u00a0users who wish to use a custom recovery to use the\u00a0<\/span><span data-contrast=\"auto\"><code>fastboot<\/code><\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\"><code>boot<\/code><\/span><span data-contrast=\"auto\">\u00a0command<\/span><span data-contrast=\"auto\">\u00a0w<\/span><span data-contrast=\"auto\">hich will download and boot the supplied\u00a0<\/span><span data-contrast=\"auto\">image<\/span><span data-contrast=\"auto\">. This is a temporary boot<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">that\u00a0<\/span><span data-contrast=\"auto\">doesn\u2019t \u201c<\/span><span data-contrast=\"auto\">flash\u201c or<\/span><span data-contrast=\"auto\">\u00a0alter<\/span><span data-contrast=\"auto\">\u00a0any of the flash partitions of the\u00a0<\/span><span data-contrast=\"auto\">device<\/span><span data-contrast=\"auto\">\u00a0and will revert to the previous\u00a0<\/span><span data-contrast=\"auto\">boot image on restart<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">Since\u00a0<\/span><span data-contrast=\"auto\">this option allows for modified code to be\u00a0<\/span><span data-contrast=\"auto\">executed<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">it is only available when the device is in an unlocked state<\/span><span data-contrast=\"auto\">\u00a0and will error out\u00a0<\/span><span data-contrast=\"auto\">with a message\u00a0<\/span><span data-contrast=\"auto\">stating\u00a0<\/span><span data-contrast=\"auto\">\u201c<\/span><span data-contrast=\"auto\">Please unlock device to enable this command<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u201d<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">i<\/span><span data-contrast=\"auto\">f a<\/span><span data-contrast=\"auto\">ttempted on a locked device.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">T<\/span><span data-contrast=\"auto\">his\u00a0<\/span><span data-contrast=\"auto\">is a good security implementation because if this\u00a0<\/span><span data-contrast=\"auto\">command was\u00a0<\/span><span data-contrast=\"auto\">always\u00a0<\/span><span data-contrast=\"auto\">allowed,<\/span><span data-contrast=\"auto\">\u00a0it would be very similar to the process of booting from a live USB on your PC<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">w<\/span><span data-contrast=\"auto\">here y<\/span><span data-contrast=\"auto\">ou can\u00a0<\/span><span data-contrast=\"auto\">login as a root user and\u00a0<\/span><span data-contrast=\"auto\">have full control over the<\/span><span data-contrast=\"auto\">\u00a0underlying<\/span><span data-contrast=\"auto\">\u00a0system<\/span><span data-contrast=\"auto\">\u00a0and components<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Booting\u00a0<\/span><span data-contrast=\"none\">M<\/span><span data-contrast=\"none\">odified<\/span><span data-contrast=\"none\">\u00a0<\/span><span data-contrast=\"none\">C<\/span><span data-contrast=\"none\">ode<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">This is where our luck or maybe\u00a0<\/span><span data-contrast=\"auto\">na\u00efvet\u00e9<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">worked<\/span><span data-contrast=\"auto\">\u00a0to our\u00a0<\/span><span data-contrast=\"auto\">advantage<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Driven by\u00a0<\/span><span data-contrast=\"auto\">our reluctance to unlock the device and our desire to\u00a0<\/span><span data-contrast=\"auto\">make a backup<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0we\u00a0<\/span><span data-contrast=\"auto\">tried to boot a generic TWRP recovery image\u00a0<\/span><span data-contrast=\"auto\">just\u00a0<\/span><span data-contrast=\"auto\">to see what would happen<\/span><span data-contrast=\"auto\">. The<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">image\u00a0<\/span><span data-contrast=\"auto\">ended up\u00a0<\/span><span data-contrast=\"auto\">leaving us at<\/span><span data-contrast=\"auto\">\u00a0a black screen,\u00a0<\/span><span data-contrast=\"auto\">and\u00a0<\/span><span data-contrast=\"auto\">since each\u00a0<\/span><span data-contrast=\"auto\">recovery image needs to contain a small kernel with the correct drivers for the display, touch digitizer<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0and other device<\/span><span data-contrast=\"auto\">&#8211;<\/span><span data-contrast=\"auto\">specific hardware<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0this was\u00a0<\/span><span data-contrast=\"auto\">to be<\/span><span data-contrast=\"auto\">\u00a0expected<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">What w<\/span><span data-contrast=\"auto\">e didn\u2019t\u00a0<\/span><span data-contrast=\"auto\">expect<\/span><span data-contrast=\"auto\">, however,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">was for\u00a0<\/span><span data-contrast=\"auto\">it to\u00a0<\/span><span data-contrast=\"auto\">get past the\u00a0<\/span><span data-contrast=\"auto\"><code>fastboot<\/code><\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\"><code>boot<\/code><\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">command.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">While we didn\u2019t get a custom recovery running<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0it did\u00a0<\/span><span data-contrast=\"auto\">tell us one\u00a0<\/span><span data-contrast=\"auto\">thing<\/span><span data-contrast=\"auto\">;\u00a0<\/span><span data-contrast=\"auto\">the<\/span><span data-contrast=\"auto\">\u00a0system was not verifying that the device was unlocked before attempting to boot a custom image<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">Normally this command would be\u00a0<\/span><span data-contrast=\"auto\">denied on a \u201clocked\u201d device and would have just errored out\u00a0<\/span><span data-contrast=\"auto\">on the\u00a0<\/span><span data-contrast=\"auto\">fastboot<\/span><span data-contrast=\"auto\">\u00a0command<\/span><span data-contrast=\"auto\">, as mentioned previously.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It is also important to point out that despite\u00a0<\/span><span data-contrast=\"auto\">having\u00a0<\/span><span data-contrast=\"auto\">boot<\/span><span data-contrast=\"auto\">ed<\/span><span data-contrast=\"auto\">\u00a0a modified image, the internal fuse\u00a0<\/span><span data-contrast=\"auto\">ha<\/span><span data-contrast=\"auto\">d<\/span><span data-contrast=\"auto\">\u00a0not been burned. These fuses are usually burned during the OEM unlocking process to identify if a device has allowed for a different \u201croot of trust\u201d to be installed. The burning of such a fuse is a permanent operation and a burnt fuse often indicates that the device has been tampered with. As shown in\u00a0<\/span><span data-contrast=\"auto\">Figure 3<\/span><span data-contrast=\"auto\">, the \u201cSecure Boot\u201d fuse\u00a0<\/span><span data-contrast=\"auto\">wa<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0still present, and the device\u00a0<\/span><span data-contrast=\"auto\">wa<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">\u00a0reporting a locked bootloader.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Acquiring an OTA\u00a0<\/span><span data-contrast=\"none\">I<\/span><span data-contrast=\"none\">mage<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">This<\/span><span data-contrast=\"auto\">\u00a0discovery\u00a0<\/span><span data-contrast=\"auto\">was\u00a0<\/span><span data-contrast=\"auto\">unexpected<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">and\u00a0<\/span><span data-contrast=\"auto\">we\u00a0<\/span><span data-contrast=\"auto\">felt like we<\/span><span data-contrast=\"auto\">\u00a0had<\/span><span data-contrast=\"auto\">\u00a0stumbled upon a flaw that\u00a0<\/span><span data-contrast=\"auto\">gave us the ability to finally take a backup of the device and leave the Peloton in an \u201cuntampered\u201d state.\u00a0<\/span><span data-contrast=\"auto\">K<\/span><span data-contrast=\"auto\">nowing that a\u00a0<\/span><span data-contrast=\"auto\">custom image could be booted even with a \u201clocked\u201d bootloader<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0we<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">began looking at ways to gather a valid\u00a0<\/span><span data-contrast=\"auto\">boot image<\/span><span data-contrast=\"auto\">, which would contain the correct kernel drivers to\u00a0<\/span><span data-contrast=\"auto\">facilitate a successful<\/span><span data-contrast=\"auto\">\u00a0boot<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">If<\/span><span data-contrast=\"auto\">\u00a0we could piece together t<\/span><span data-contrast=\"auto\">he<\/span><span data-contrast=\"auto\">\u00a0OTA update URL and just download an update package\u00a0<\/span><span data-contrast=\"auto\">directly from Peloton<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0it<\/span><span data-contrast=\"auto\">\u00a0would\u00a0<\/span><span data-contrast=\"auto\">likely\u00a0<\/span><span data-contrast=\"auto\">contain a boot image<\/span><span data-contrast=\"auto\">\u00a0that<\/span><span data-contrast=\"auto\">\u00a0we could modify<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">Having the ability to modify a boot image\u00a0<\/span><span data-contrast=\"auto\">would\u00a0<\/span><span data-contrast=\"auto\">give us root\u00a0<\/span><span data-contrast=\"auto\">and access to the\u00a0<\/span><span data-contrast=\"auto\">block<\/span><span data-contrast=\"auto\">ed<\/span><span data-contrast=\"auto\">\u00a0devices<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Even with just\u00a0<\/span><a href=\"https:\/\/developer.android.com\/studio\/command-line\/adb\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">ADB debugging<\/span><\/a><span data-contrast=\"auto\">\u00a0enabled we were able to pull the\u00a0<\/span><span data-contrast=\"auto\">Peloton<\/span><span data-contrast=\"auto\">&#8211;<\/span><span data-contrast=\"auto\">specific applications from the device.\u00a0<\/span><span data-contrast=\"auto\">We listed\u00a0<\/span><span data-contrast=\"auto\">all<\/span><span data-contrast=\"auto\">\u00a0the Peloton\u00a0<\/span><span data-contrast=\"auto\">APK<\/span><span data-contrast=\"auto\">s\u00a0<\/span><span data-contrast=\"auto\">and\u00a0<\/span><span data-contrast=\"auto\">sought out the\u00a0<\/span><span data-contrast=\"auto\">ones that could help us get the OTA path<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0shown in<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Figure\u00a0<\/span><span data-contrast=\"auto\">4<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Finding the name\u00a0<\/span><span data-contrast=\"auto\">OTAService<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">promising, we pulled down<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">the\u00a0<\/span><span data-contrast=\"auto\">APK<\/span><i><span data-contrast=\"auto\">\u00a0<\/span><\/i><span data-contrast=\"auto\">and<\/span><span data-contrast=\"auto\">\u00a0began\u00a0<\/span><span data-contrast=\"auto\">to\u00a0<\/span><span data-contrast=\"auto\">reverse-engineer it<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">using<\/span><span data-contrast=\"auto\">\u00a0<\/span><a href=\"https:\/\/github.com\/skylot\/jadx\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">JADX<\/span><\/a><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">After some digging, we<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">discovered how the app\u00a0<\/span><span data-contrast=\"auto\">was\u00a0<\/span><span data-contrast=\"auto\">building the download\u00a0<\/span><span data-contrast=\"auto\">URL string<\/span><span data-contrast=\"auto\">\u00a0for OTA updates<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">which would then be passed to<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\"><code>beginDownload<\/code><code><\/code><\/span><span data-contrast=\"auto\"><code>()<\/code><code><\/code><\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">as seen in\u00a0<\/span><span data-contrast=\"auto\">Figure\u00a0<\/span><span data-contrast=\"auto\">5<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">We also noticed quite a few\u00a0<\/span><span data-contrast=\"auto\">A<\/span><span data-contrast=\"auto\">ndroid log<\/span><span data-contrast=\"auto\">\u00a0calls that could help us<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0such as the one right before the call to\u00a0<\/span><span data-contrast=\"auto\"><code>beginDownload<\/code><\/span><span data-contrast=\"auto\"><code>()<\/code><\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0so\u00a0<\/span><span data-contrast=\"auto\">we\u00a0<\/span><span data-contrast=\"auto\">us<\/span><span data-contrast=\"auto\">ed<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Android\u2019s<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">built<\/span><span data-contrast=\"auto\">&#8211;<\/span><span data-contrast=\"auto\">in<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">logcat<\/span><span data-contrast=\"auto\">\u00a0command and grepp<\/span><span data-contrast=\"auto\">ed<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">the output\u00a0<\/span><span data-contrast=\"auto\">for \u201cOTA\u201d<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">as<\/span><span data-contrast=\"auto\">\u00a0seen in\u00a0<\/span><span data-contrast=\"auto\">Figure\u00a0<\/span><span data-contrast=\"auto\">6<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Doing so,\u00a0<\/span><span data-contrast=\"auto\">we were able to find\u00a0<\/span><span data-contrast=\"auto\">which S3 bucket was used for the OTA updates and\u00a0<\/span><span data-contrast=\"auto\">even\u00a0<\/span><span data-contrast=\"auto\">a file manifest\u00a0<\/span><span data-contrast=\"auto\">titled\u00a0<\/span><span data-contrast=\"auto\">OTAConfig.json<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Combining the information obtained from\u00a0<\/span><span data-contrast=\"auto\">OTAService.apk<\/span><span data-contrast=\"auto\">\u00a0and the logs,\u00a0<\/span><span data-contrast=\"auto\">we were able<\/span><span data-contrast=\"auto\">\u00a0to piece together the full path to the OTA images<\/span><span data-contrast=\"auto\">\u00a0manifest file<\/span><span data-contrast=\"auto\">\u00a0and names for each OTA zip file<\/span><span data-contrast=\"auto\">, as shown in\u00a0<\/span><span data-contrast=\"auto\">Figure\u00a0<\/span><span data-contrast=\"auto\">7<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Our next step was<\/span><span data-contrast=\"auto\">\u00a0to extract the contents of the OTA update\u00a0<\/span><span data-contrast=\"auto\">to<\/span><span data-contrast=\"auto\">\u00a0get\u00a0<\/span><span data-contrast=\"auto\">a<\/span><span data-contrast=\"auto\">\u00a0valid\u00a0<\/span><span data-contrast=\"auto\">boot.img<\/span><span data-contrast=\"auto\">\u00a0file that would contain\u00a0<\/span><span data-contrast=\"auto\">all<\/span><span data-contrast=\"auto\">\u00a0the specific kernel\u00a0<\/span><span data-contrast=\"auto\">drivers for the Peloton hardware. Since the Peloton is using Android<\/span><span data-contrast=\"auto\">\u2019<\/span><span data-contrast=\"auto\">s\u00a0<\/span><span data-contrast=\"auto\">A\/B partitions<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0which facilitate seamless updates<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0the update packages\u00a0<\/span><span data-contrast=\"auto\">were<\/span><span data-contrast=\"auto\">\u00a0stored in a \u201c<\/span><span data-contrast=\"auto\">payload.bin<\/span><span data-contrast=\"auto\">\u201d format.\u00a0<\/span><span data-contrast=\"auto\">Using the\u00a0<\/span><a href=\"https:\/\/github.com\/vm03\/payload_dumper\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">Android payload dumper<\/span><\/a><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">tool<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">we were able to extract all of the images\u00a0<\/span><span data-contrast=\"auto\">contained in the bin file.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Modifying the Boot\u00a0<\/span><span data-contrast=\"none\">I<\/span><span data-contrast=\"none\">mage<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\"><span class=\"TextRun SCXW131588300 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW131588300 BCX0\">Once the\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2 SCXW131588300 BCX0\">boot.img<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">was<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0extracted,\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">we needed a way to modify the\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">initial kernel to allow us to gain root access on the device.\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">Although t<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">here are a\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">variety<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">of<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0ways to\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">accomplish<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0this<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">,<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">we decided to\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">keep things simple and\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">just use the\u00a0<\/span><\/span><a class=\"Hyperlink SCXW131588300 BCX0\" href=\"https:\/\/github.com\/topjohnwu\/Magisk\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun Underlined SCXW131588300 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW131588300 BCX0\" data-ccp-charstyle=\"Hyperlink\">Magisk<\/span><\/span><\/a><span class=\"TextRun SCXW131588300 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0installer to patch the\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2 SCXW131588300 BCX0\">boot.img<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0fil<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">e to include the \u201c<\/span><span class=\"NormalTextRun SpellingErrorV2 SCXW131588300 BCX0\">su<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u201d binary. With the\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2 SCXW131588300 BCX0\">boot.img<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0patched,\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">we were able to use the<\/span><\/span> <\/span><span data-contrast=\"auto\"><code>fastboot<\/code><\/span><span data-contrast=\"auto\">\u00a0<code><\/code><\/span><span data-contrast=\"auto\"><span class=\"TextRun SCXW131588300 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW131588300 BCX0\">boot<\/span><\/span><span class=\"TextRun SCXW131588300 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0command again but this time passing\u00a0<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">it our patched\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2 SCXW131588300 BCX0\">boot.img<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">\u00a0file<\/span><span class=\"NormalTextRun SCXW131588300 BCX0\">. Since the Verified Boot<\/span><\/span> process <\/span><span data-contrast=\"auto\">on the Peloton<\/span><span data-contrast=\"auto\">\u00a0fail<\/span><span data-contrast=\"auto\">ed<\/span><span data-contrast=\"auto\">\u00a0to identify the modified boot image as tampered, the OS boot<\/span><span data-contrast=\"auto\">ed\u00a0<\/span><span data-contrast=\"auto\">normally<\/span><span data-contrast=\"auto\">\u00a0with the patched\u00a0<\/span><span data-contrast=\"auto\">boot.img<\/span><span data-contrast=\"auto\">\u00a0file<\/span><span data-contrast=\"auto\">. After this process\u00a0<\/span><span data-contrast=\"auto\">was<\/span><span data-contrast=\"auto\">\u00a0complete, the Peloton Bike+\u00a0<\/span><span data-contrast=\"auto\">was<\/span><span data-contrast=\"auto\">\u00a0indistinguishable from its\u00a0<\/span><span data-contrast=\"auto\">\u201cnormal\u201d state under visual\u00a0<\/span><span data-contrast=\"auto\">inspection\u00a0<\/span><span data-contrast=\"auto\">and<\/span><span data-contrast=\"auto\">\u00a0the process left no\u00a0<\/span><span data-contrast=\"auto\">artifacts that would<\/span><span data-contrast=\"auto\">\u00a0tip off the user\u00a0<\/span><span data-contrast=\"auto\">that\u00a0<\/span><span data-contrast=\"auto\">the Pelton ha<\/span><span data-contrast=\"auto\">d<\/span><span data-contrast=\"auto\">\u00a0been compromised.<\/span><span data-contrast=\"auto\">\u00a0But\u00a0<\/span><span data-contrast=\"auto\">appearances can be deceiving, and<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">in reality th<\/span><span data-contrast=\"auto\">e Android OS\u00a0<\/span><span data-contrast=\"auto\">had now been<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">rooted<\/span><span data-contrast=\"auto\">,\u00a0<\/span><span data-contrast=\"auto\">allowing<\/span><span data-contrast=\"auto\">\u00a0us to use\u00a0<\/span><span data-contrast=\"auto\">the\u00a0<\/span><span data-contrast=\"auto\">\u201c<\/span><span data-contrast=\"auto\">su<\/span><span data-contrast=\"auto\">\u201d command to become root and\u00a0<\/span><span data-contrast=\"auto\">perform<\/span><span data-contrast=\"auto\">\u00a0actions<\/span><span data-contrast=\"auto\">\u00a0with UID=0<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0as seen in<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Figure 8<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Impact\u00a0<\/span><span data-contrast=\"none\">S<\/span><span data-contrast=\"none\">cenarios<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">As we just demonstrated, t<\/span><span data-contrast=\"auto\">he ability to bypass the Android Verified Boot process can lead to the Android OS being compromised by an attacker<\/span><span data-contrast=\"auto\">\u00a0with physical access<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">A worst-case scenario for such an attack vector might involve a\u00a0<\/span><span data-contrast=\"auto\">malicious agent booting the Peloton with a modified\u00a0<\/span><span data-contrast=\"auto\">image to gain elevated privileges and then leveraging\u00a0<\/span><span data-contrast=\"auto\">those privileges to establish a reverse shell, granting the attacker\u00a0<\/span><span data-contrast=\"auto\">unfettered<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">root access\u00a0<\/span><span data-contrast=\"auto\">on<\/span><span data-contrast=\"auto\">\u00a0the bike remotely<\/span><span data-contrast=\"auto\">. Since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">This sort of attack could be\u00a0<\/span><span data-contrast=\"auto\">effectively delivered<\/span><span data-contrast=\"auto\">\u00a0via\u00a0<\/span><span data-contrast=\"auto\">the supply chain process. A<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">malicious<\/span><span data-contrast=\"auto\">\u00a0actor\u00a0<\/span><span data-contrast=\"auto\">could\u00a0<\/span><span data-contrast=\"auto\">tamper with the\u00a0<\/span><span data-contrast=\"auto\">product\u00a0<\/span><span data-contrast=\"auto\">at any point from construction to warehouse to delivery, installing<\/span><span data-contrast=\"auto\">\u00a0a backdoor into the Android tablet without any way the end\u00a0<\/span><span data-contrast=\"auto\">user\u00a0<\/span><span data-contrast=\"auto\">could know.\u00a0<\/span><span data-contrast=\"auto\">Another<\/span><span data-contrast=\"auto\">\u00a0scenario could be that an attacker could simpl<\/span><span data-contrast=\"auto\">y<\/span><span data-contrast=\"auto\">\u00a0walk up to one of these devices that\u00a0<\/span><span data-contrast=\"auto\">is installed in a\u00a0<\/span><span data-contrast=\"auto\">gym or a fitness room<\/span><span data-contrast=\"auto\">\u00a0and perform the same attack<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0gaining root access on these devices for later use<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0The\u00a0<\/span><a href=\"https:\/\/www.pelobuddy.com\/travel\/map\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"auto\">Pelobuddy<\/span><span data-contrast=\"none\">\u00a0interactive map<\/span><\/a><span data-contrast=\"auto\"> in figure <\/span><span data-contrast=\"auto\">9<\/span><span data-contrast=\"auto\">\u00a0below could help an attacker find public bikes to attack<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Once an attacker has root, they could make their presence permanent by modifying the OS in a rootkit fashion, removing any need for the attacker to repeat this step. Another risk is that an attacker could modify the system to put themselves in a man-in-the-middle position and sniff all network traffic, even SSL encrypted traffic<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0using a technique called\u00a0<\/span><a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/misc\/ms-android-7-10-ssl-pinning-bypass.pdf\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"none\">SSL unpinning<\/span><\/a><span data-contrast=\"auto\">, which requires root privileges to hook calls to internal encryption functionality.\u00a0<\/span><span data-contrast=\"auto\">Intercepting and decrypting<\/span><span data-contrast=\"auto\">\u00a0network traffic\u00a0<\/span><span data-contrast=\"auto\">in this fashion<\/span><span data-contrast=\"auto\">\u00a0could lead to users<\/span><span data-contrast=\"auto\">\u2019<\/span><span data-contrast=\"auto\">\u00a0personal data being compromised.<\/span><span data-contrast=\"auto\">\u00a0Lastly<\/span><span data-contrast=\"auto\">,<\/span><span data-contrast=\"auto\">\u00a0the Peloton Bike+ also has a camera and a microphone\u00a0<\/span><span data-contrast=\"auto\">installed. Having remote access with root permissions on the Android tablet would allow an attacker to monitor these devices and\u00a0<\/span><span data-contrast=\"auto\">is\u00a0<\/span><span data-contrast=\"auto\">demoed in the impact video below.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/RLjXfvb0ADw\" width=\"1080\" height=\"630\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><span style=\"display: inline-block; width: 0px; overflow: hidden; line-height: 0;\" data-mce-type=\"bookmark\" class=\"mce_SELRES_start\">\ufeff<\/span><\/iframe><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Disclosure\u00a0<\/span><span data-contrast=\"none\">Timeline\u00a0<\/span><span data-contrast=\"none\">and Patch<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">G<\/span><span data-contrast=\"auto\">iven<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">the\u00a0<\/span><span data-contrast=\"auto\">simplicity and criticality\u00a0<\/span><span data-contrast=\"auto\">of the flaw, we decided to<\/span><span data-contrast=\"auto\">\u00a0disclose to Peloton\u00a0<\/span><span data-contrast=\"auto\">even as we continue to audit the device for remote vulnerabilities. We sent our vendor disclosure with full details on March 2, 2021<\/span><span data-contrast=\"auto\">\u00a0\u2013 shortly after, Peloton\u00a0<\/span><span data-contrast=\"auto\">confirmed the issue and\u00a0<\/span><span data-contrast=\"auto\">subsequently\u00a0<\/span><span data-contrast=\"auto\">released a fix for\u00a0<\/span><span data-contrast=\"auto\">it\u00a0<\/span><span data-contrast=\"auto\">in software version\u00a0<\/span><span data-contrast=\"auto\">\u201cPTX14A-290\u201d.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">The patched image no longer allows for the \u201cboot\u201d command to work on a user\u00a0<\/span><span data-contrast=\"auto\">build<\/span><span data-contrast=\"auto\">, mitigating this vulnerability entirely<\/span><span data-contrast=\"auto\">.\u00a0<\/span><span data-contrast=\"auto\">The Peloton vulnerability disclos<\/span><span data-contrast=\"auto\">ure<\/span><span data-contrast=\"auto\">\u00a0process was\u00a0<\/span><span data-contrast=\"auto\">smooth,<\/span><span data-contrast=\"auto\">\u00a0and the team were\u00a0<\/span><span data-contrast=\"auto\">receptive and\u00a0<\/span><span data-contrast=\"auto\">responsive<\/span><span data-contrast=\"auto\">\u00a0with all communications<\/span><span data-contrast=\"auto\">.<\/span>\u00a0Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+.<\/p>\n<p>Peloton\u2019s Head of Global Information Security, Adrian Stone, shared the following &#8220;this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.&#8221;<\/p>\n<p><span data-contrast=\"auto\">We are continuing to<\/span><span data-contrast=\"auto\">\u00a0investigate the Peloton Bike+, so make sure you\u00a0<\/span><span data-contrast=\"auto\">stay up to date on\u00a0<\/span><a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span data-contrast=\"auto\">McAfee\u2019s ATR\u00a0<\/span><span data-contrast=\"none\">blogs<\/span><\/a><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">for\u00a0<\/span><span data-contrast=\"auto\">any fu<\/span><span data-contrast=\"auto\">ture discoveries<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help developers&#8230;<\/p>\n","protected":false},"author":1064,"featured_media":122803,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[5683,5850],"class_list":["post-122833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A New Program for Your Peloton \u2013 Whether You Like It or Not | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A New Program for Your Peloton \u2013 Whether You Like It or Not | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-16T04:01:52+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-05T12:55:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"200\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Sam Quinn, Mark Bereza\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sam Quinn, Mark Bereza\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/\"},\"author\":{\"name\":\"Sam Quinn\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/e66d604e9acc14787d29ba40c9b0eaac\"},\"headline\":\"A New Program for Your Peloton \u2013 Whether You Like It or Not\",\"datePublished\":\"2021-06-16T04:01:52+00:00\",\"dateModified\":\"2024-07-05T12:55:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/\"},\"wordCount\":2796,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/\",\"name\":\"A New Program for Your Peloton \u2013 Whether You Like It or Not | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg\",\"datePublished\":\"2021-06-16T04:01:52+00:00\",\"dateModified\":\"2024-07-05T12:55:05+00:00\",\"description\":\"Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg\",\"width\":200,\"height\":200,\"caption\":\"Connected Fitness\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"A New Program for Your Peloton \u2013 Whether You Like It or Not\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/e66d604e9acc14787d29ba40c9b0eaac\",\"name\":\"Sam Quinn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b7f2dd45ad7b8c848605319a8d083a87\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/02\/quinnsa-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/02\/quinnsa-96x96.jpg\",\"caption\":\"Sam Quinn\"},\"description\":\"Sam Quinn is a Security Researcher on the Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Sam has a focus on IOT and embedded devices with knowledge in the fields of reverse engineering and penetration testing.\",\"sameAs\":[\"http:\/\/www.linkedin.com\/in\/sam--quinn\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/sam-quinn\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A New Program for Your Peloton \u2013 Whether You Like It or Not | McAfee Blog","description":"Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"A New Program for Your Peloton \u2013 Whether You Like It or Not | McAfee Blog","og_description":"Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2021-06-16T04:01:52+00:00","article_modified_time":"2024-07-05T12:55:05+00:00","og_image":[{"width":200,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg","type":"image\/jpeg"}],"author":"Sam Quinn, Mark Bereza","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Sam Quinn, Mark Bereza","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/"},"author":{"name":"Sam Quinn","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/e66d604e9acc14787d29ba40c9b0eaac"},"headline":"A New Program for Your Peloton \u2013 Whether You Like It or Not","datePublished":"2021-06-16T04:01:52+00:00","dateModified":"2024-07-05T12:55:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/"},"wordCount":2796,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/","name":"A New Program for Your Peloton \u2013 Whether You Like It or Not | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg","datePublished":"2021-06-16T04:01:52+00:00","dateModified":"2024-07-05T12:55:05+00:00","description":"Executive Summary\u00a0 The McAfee\u00a0Advanced Threat Research team\u00a0(ATR)\u00a0is committed to uncovering security issues in both software and hardware to help","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/06\/AdobeStock_331619795_200x200-1.jpg","width":200,"height":200,"caption":"Connected Fitness"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/a-new-program-for-your-peloton-whether-you-like-it-or-not\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"A New Program for Your Peloton \u2013 Whether You Like It or Not"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/e66d604e9acc14787d29ba40c9b0eaac","name":"Sam Quinn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b7f2dd45ad7b8c848605319a8d083a87","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/02\/quinnsa-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/02\/quinnsa-96x96.jpg","caption":"Sam Quinn"},"description":"Sam Quinn is a Security Researcher on the Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Sam has a focus on IOT and embedded devices with knowledge in the fields of reverse engineering and penetration testing.","sameAs":["http:\/\/www.linkedin.com\/in\/sam--quinn"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/sam-quinn\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/122833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1064"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=122833"}],"version-history":[{"count":5,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/122833\/revisions"}],"predecessor-version":[{"id":196068,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/122833\/revisions\/196068"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/122803"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=122833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=122833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=122833"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=122833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}