Peloton Interactive, Inc. — 2 prefixes (MA-L)

Peloton Interactive, Inc. is a US connected-fitness company (NASDAQ: PTON, founded 2012, HQ at 158 W 27th St, 4th Floor, New York, NY 10001) whose IEEE footprint is two MA-L blocks — AC:04:0B and 54:49:DF — both registered to "Peloton Interactive, Inc" at the New York registry address. Its hardware is touchscreen-equipped IoT: the Bike and Bike+, Tread and Tread+, Row+, and the camera-based Peloton Guide, each running Android with built-in Wi-Fi (802.11 a/b/g/n/ac, dual-band), Bluetooth 5.0, an Ethernet port, and (on several models) a camera and microphone. From a network standpoint these are streaming endpoints: devices make outbound-only connections on TCP 443/80 and UDP 123 (NTP), pull roughly 8 Mbps of class video, and reach a long list of third-party telemetry, CDN, payment, and ad partners; captive portals and proxies are explicitly unsupported. The security history is the reason these devices warrant care on managed networks: CVE-2021-33887 (McAfee ATR, 2021) let an attacker with physical access plant a malicious boot image via USB on Bike+/Tread for root and camera/microphone access; an unauthenticated API leaked user PII in 2021 and took months to fully remediate; and 2023 reporting flagged Tread units running an Android release several major versions behind. A critical naming caveat: a *separate* company, "Peloton Technology" (autonomous-trucking, Mountain View, CA — now defunct/acquired), holds one MA-S block, 70:B3:D5:43:E, so the name alone does not identify the fitness vendor.

IEEE assignment

2 prefixes → Peloton Interactive, Inc, registered New York, NY, US [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv: AC040B, 5449DF)

Registry / block size

MA-L (24-bit OUI); two IEEE blocks (~16.7M addresses each) [Confirmed] — IEEE MA-L. NOTE: IEEE's public OUI data publishes NO assignment/registration date (oui.csv columns are only Registry, Assignment, Organization Name, Organization Address); the "2016-04-01"/"2021-01-13" dates shown on maclookup.app are third-party database artifacts, not IEEE facts.

HQ / country

158 W 27th St, 4th Floor, New York, NY 10001, US (registry address = corporate HQ) [Confirmed] — IEEE MA-L; https://finance.yahoo.com/quote/PTON/profile/

Company status

active; publicly traded (NASDAQ: PTON), founded 2012 [Confirmed] — https://finance.yahoo.com/quote/PTON/profile/

Device types

connected-fitness IoT — stationary bikes (Bike, Bike+), treadmills (Tread, Tread+), rower (Row+), Peloton Guide strength camera; touchscreen running Android, Wi-Fi + Bluetooth 5.0 + Ethernet, optional camera/microphone [Confirmed] — https://support.onepeloton.com/s/article/15758838594068-Peloton-Product-Usage-Requirements?language=en_CA

Notable products

Bike+, Tread, Peloton Guide; commercial Peloton Pro Series for gyms [Confirmed] — https://investor.onepeloton.com/news-releases/news-release-details/peloton-introduces-new-commercial-equipment-line-peloton-pro

Verified sample prefixes (both MA-L, Peloton Interactive, Inc)

AC:04:0B, 54:49:DF [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv); https://maclookup.app/vendors/peloton-interactive-inc

Network behavior

outbound-only TCP 443/80 + UDP 123 (NTP); ~8 Mbps streaming video; telemetry/CDN/payment/ad endpoints (Amplitude, Crashlytics, New Relic, Segment, Akamai, Cloudinary, AWS S3, Stripe, Google, Facebook); captive portals + proxies unsupported [Confirmed] — https://business.onepeloton.com/support/network-setup-instructions

Security context

CVE-2021-33887 (McAfee ATR, 2021; patched in PTX14A-290) — physical USB boot-image insertion on Bike+/Tread → remote root + camera/microphone access; 2021 unauthenticated-API PII leak (Pen Test Partners) took ~months to remediate; 2023 reporting (Dark Reading) flagged Tread on outdated Android. Mozilla "Privacy Not Included" rates Peloton "Somewhat creepy" for biometric/geolocation/voiceprint data shared with ad partners. [Confirmed] — https://www.mcafee.com/blogs/other-blogs/mcafee-labs/a-new-program-for-your-peloton-whether-you-like-it-or-not/ ; https://www.darkreading.com/remote-workforce/flaws-in-peloton-tread-expose-enterprise-network-to-iot-attack-vectors ; https://www.mozillafoundation.org/en/privacynotincluded/peloton-bike/

Related vendors

"Peloton Technology" (autonomous-trucking, Mountain View, CA; now defunct/acquired) is a DISTINCT company holding one MA-S block 70:B3:D5:43:E — not the fitness vendor [Confirmed] — IEEE MA-S (enrichment/registries/oui36.csv)

Analyst note

On enterprise/commercial networks place Peloton devices on an isolated IoT VLAN — delayed patching history, outdated Android, heavy third-party telemetry, and camera/microphone hardware make them higher-risk endpoints; an outbound allow-list (TCP 443/80, UDP 123) is sufficient, no inbound ports needed.