The famous Cirque du Soleil show Toruk, which held its final performance last night – on June 30 – was enhanced with a mobile app that made users’ mobile devices vulnerable. The app, named “TORUK – The First Flight,” provided a means for the audience to be part of the show via audiovisual effects generated on their mobile devices.
“It appears that the TORUK app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators,” explains Lukáš Štefanko, the ESET security researcher who analyzed the app.
The “TORUK – The First Flight” app has over 100,000 installs on Goggle Play; there is also a version for iOS. With the end of the TORUK show, the app is no longer being marketed, and Cirque du Soleil’s staff said they would pull it from both the Android and Apple official app stores.
Cirque du Soleil promoted the “TORUK – The First Flight” app on their website
When this app is running, it opens a local port so that it is possible to remotely change volume settings, discover nearby Bluetooth devices if Bluetooth is on, display animations, set the position of the “Like” Facebook button on the device, and read or write to shared preferences that are accessible to the app.
“The problem is that the app has no authentication protocol in place. An adversary can scan the network and get the IP addresses of devices with the defined port opened – port 6161 – and send commands to all devices running the app,” explains Štefanko.
According to Štefanko, making the app resistant against this type of attack would have been simple. “If the app generated a unique token for each device, then it would be impossible to access all the devices en masse, without any authentication.”
After the show, all the devices with this app installed remain vulnerable, so its users may experience unpleasant surprises at any point in the future if they are connected to a public network.
“Those who installed this app should uninstall it immediately. By the way, we highly recommend doing that with all single-purpose apps,” concludes Štefanko.
For more a detailed analysis, read Lukáš Štefanko’s blogpost “A great show is now history, as is its insecure mobile app” at ESET Android App Watch.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.