The show "TORUK" of the famous Cirque du Soleil used for advertising purposes an application, which made the mobile phones of the users vulnerable. The app, called “TORUK – The First Flight”, είχε σχεδιαστεί για να δίνει σε χρήστες iOS και Android τη δυνατότητα να συμμετέχουν στην παράσταση μέσω συγχρονισμένων οπτικοακουστικών εφέ που δημιουργούνταν στα κινητά τους.
“It seems that the security factor was not taken into account when designing the TORUK app. As a result, anyone connecting to the network κατά τη διάρκεια της παράστασης είχε τις ίδιες possibilities management with Cirque du Soleil administrators," explains ESET researcher Lukáš Štefanko, who analyzed the application.
The app “TORUK – The First Flight” has over 100.000 downloads on Google Play, while there is also a version for iOS.
With the completion of the "TORUK" performances, the application ceased to be available and the people in charge of Cirque du Soleil stated that they will withdraw it from the official app stores for Android and Apple devices.
When this application is used, it opens a local port so that volume settings can be changed remotely sound, locating nearby Bluetooth devices (if Bluetooth is enabled), displaying animations, setting the “Like” button for Facebook as well as participating in shared preferences accessible in the application.
"The problem is that the application does not have an authentication protocol. An expert can scan the network, collect the IP addresses of the devices when the specific port is open (port 6161) and send commands to all devices that use the application ", Štefanko explains.
According to Štefanko, it would be very simple to shield the enforcement against this kind of attack.
If the application created a unique token for each device, it would be impossible for anyone to access all devices massively without authentication testing
After the show, all devices that have this app installed are still vulnerable, so users are at risk of experiencing unpleasant surprises at any time in the future if they are connected to a public network.
"Users who have installed this application must uninstall it immediately. By the way, we recommend that they do this with all applications designed for a specific use ", Štefanko concludes.
More information can be found on this blogpost by Lukáš ftefanko “A great show is now history, as is its insecure mobile app” on ESET Android App Watch.
___________________
- WiFi view the stored codes in Windows
- Pocket Drones for soldiers are being tested in Afghanistan
- Kodachi Linux 6.1 anti forensic anonymous operating
