Cybersecurity: How safe are smart exercise bikes like Peloton & Vaha?

Home training is increasingly becoming a multimedia experience thanks to smart fitness equipment that is increasingly finding its way into living rooms around the world. The German startup Vaha, for example, sells an interactive fitness mirror that is supposed to work like a personal trainer in your own home. At the forefront internationally: the US company Peloton with their high-tech ergometer. The share price rose by around 420 percent in the Corona year 2020. Sales between January and September totaled around 1.9 billion US dollars – an increase of around 145 percent compared to the same period last year.

At the heart of Peloton’s business model is a high-tech fitness bike for the living room. Via a screen attached to the handlebars, users can track their performance, ride virtual bike paths, take part in live courses with other people from all over the world and interact with them. A peloton bike costs 2,290 euros, with an additional monthly fee of 39 euros for the courses.

Joe Biden and his wife Jill have also discovered the smart home trainer in lockdown. However, the US President’s peloton bike raises safety concerns when they move to the White House. Former deputy director of the US National Security Agency, Richard H. Ledgett Jr, told the New York Times that hackers could spy on the White House about possible security holes.

That begs the question:

How safe are smart fitness equipment like Peloton, Vaha and Co.?

Vladislav Iliushin is a professional hacker at the Czech antivirus software company Avast, where he researches the security gaps in smart home devices. He believes the concerns of the US secret service are justified. “Any device that has a camera, microphone, and internet connection is potentially a security risk,” he told The health data that such fitness equipment collects can also be of interest to hackers. “Health is a hot topic, especially with politicians and celebrities,” says Iliushin.

For normal users, however, the security risk is different. “It’s hard to blackmail someone with their heart rate,” says the security expert. The massive tapping of microphones and cameras is also not particularly lucrative for hackers. In many places the Internet is simply too slow and the storage space for evaluating the data is too expensive. “Over time, the technology becomes cheaper and then it can be worthwhile to search the recordings of millions of cameras with the help of face recognition for interesting target persons.”

Most common mesh: Blackmail

Iliushin currently estimates the probability of falling victim to a targeted attack to be relatively low, especially since the effort is comparatively high. In practice, cybercriminals would be more likely to resort to methods that can be expanded to cover a large number of targets with little effort.

In the context of smart home devices, which also include the Peloton wheel, he primarily observed three types of attacks. The first scenario is about blackmail. Attackers smuggle in a Trojan horse via a vulnerability, hijack the device and demand a ransom. In the second scenario, the attackers gain access to the device in order to mine cryptocurrencies at the owner’s expense. “It was very popular in the past, but it depends on the course,” says Iliushin. Thirdly, hackers would often misuse unsecured devices for so-called DDoS attacks. In doing so, they release a large number of hijacked devices at the same time on a certain website, which is then brought to its knees by the massive inquiries.

No cases at Vaha so far

So far, there have been no publicly known cases in which criminals have gained access to the smart fitness devices from Peloton, Vaha and Co. At the request of, Vaha announced that no devices, users or servers have been compromised by hackers to date.

As a German company, the company is obliged to comply with the German GDPR guidelines. “In addition, our users always have the option of physically taking additional security measures such as switching off the device, the camera and the microphone,” says Vaha founder and managing director Valerie Bures.

In response to a request from, the US company Peloton announced: “Peloton products are based on strong data protection and security measures to protect our member experience.” Every new function and every new product version is thoroughly tested and measured against industry standards. “We closely monitor every part of our system, conduct regular security assessments with professional third-party security experts, and encrypt the data that is transferred between the Peloton-connected fitness products and the Peloton cloud-based app.” Whether there have been any cases at Peloton where Company devices were hacked, the company did not respond.


Related Articles

Back to top button