June 30th was the closing night for the Cirque du Soleil show Toruk – The First Flight in London, which ESET researchers said is good news for fans who used the show’s corresponding mobile app, as it reportedly lacked security and made mobile phones vulnerable.
According to Lukáš Štefanko, the ESET security researcher who analyzed the app, also named “TORUK – The First Flight,” those who connected to the network during the show could have gained admin access to the app, which was designed so that audiences could engage with the show via audiovisual effects generated on their mobile devices.
“It appears that the TORUK app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators,” explained Štefanko. The app, which is no longer being marketed now that the show has concluded, was installed on Google Play over 100,000 times, and there is also a version for iOS. Cirque du Soleil’s staff did reportedly tell ESET that they would pull it from both the Android and Apple official app stores.
Because the app had no authentication protocol, Štefanko said that an adversary could scan the network and get the IP addresses of devices with the defined port 6161 opened. An attacker could then send commands to all devices running the app, explained Štefanko, a vulnerability which he said could have been avoided quite easily.
“If the app generated a unique token for each device, then it would be impossible to access all the devices en masse, without any authentication. After the show, all the devices with this app installed remain vulnerable, so its users may experience unpleasant surprises at any point in the future if they are connected to a public network.”
“Those who installed this app should uninstall it immediately. By the way, we highly recommend doing that with all single-purpose apps,” said Štefanko.