The show "TORUK" of the famous Cirque du Soleil used for advertising purposes an application, which made the mobile phones of the users vulnerable. The app, called “TORUK – The First Flight”, was designed to give to users iOS and Android the ability to participate in the show through synchronized audiovisual effects created on their mobile phones.
"It seems that the security factor was not taken into account when designing the TORUK application. As a result, anyone connected to the network during the show had the same management capabilities as the Cirque du Soleil administrators, ”explains ESET researcher Lukáš ftefanko, who analyzed the application.
The app “TORUK – The First Flight” has over 100.000 downloads on Google Play, while there is also a version for iOS.
With the completion of the "TORUK" performances, the application ceased to be available and the people in charge of Cirque du Soleil stated that they will withdraw it from the official app stores for Android and Apple devices.
When this application is used, it opens a local port to enable remote volume settings, detect nearby Bluetooth devices (if enabled mode Bluetooth), the display of animation, the setting of the “Like” button for Facebook as well as the participation in shared preferences accessible in the application.
"The problem is that the application does not have an authentication protocol. An astute person can scan the network, collect the IP addresses of the devices as long as the specific port is open (port 6161) and send commands to all devices using the application," explains Štefanko.
According to Štefanko, it would be very simple to shield the enforcement against this kind of attack.
If the application created a unique token for each device, it would be impossible for anyone to access all devices massively without authentication testing
After the show, all devices that have this app installed are still vulnerable, so users are at risk of experiencing unpleasant surprises at any time in the future if they are connected to a public network.
"Users who have installed this app should uninstall it immediately. By the way, we recommend doing this with all applications that are designed for a specific use", concludes Štefanko.
More information can be found on this blogpost by Lukáš ftefanko “A great show is now history, as is its insecure mobile app” on ESET Android App Watch.
___________________
- WiFi view the stored codes in Windows
- Pocket Drones for soldiers are being tested in Afghanistan
- Kodachi Linux 6.1 anti forensic anonymous operating
