A mobile app that was designed to enhance the experience of watching a touring Cirque du Soleil show left audience members' devices vulnerable to an attack by others sharing the same public Wi-Fi network, according to a blog post today by researchers at ESET.

The app corresponded to the show TORUK – The First Flight, an Avatar-themed act that ended its five-year run on June 30 with a final show in London. It not only offered backstage photos, videos and other content, but it also synchronized their devices with the performance to play audiovisual effects based on the user's specific seat location.

By using the app, audience members enabled the TORUK app operators to issue a series of commands to their devices via the open port 6161. However, due to the app's lack of authentication, potential adversaries on the same public Wi-Fi network are essentially granted the same power. All they have to do was scan the network for the IP addresses of devices with an open port 6161, and then send their own admin-style commands to those devices, explained blog post author and malware researcher Lukas Stefanko.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.