A mobile app that was designed to enhance the experience of watching a touring Cirque du Soleil show left audience members' devices vulnerable to an attack by others sharing the same public Wi-Fi network, according to a blog post today by researchers at ESET.
The app corresponded to the show TORUK – The First Flight, an Avatar-themed act that ended its five-year run on June 30 with a final show in London. It not only offered backstage photos, videos and other content, but it also synchronized their devices with the performance to play audiovisual effects based on the user's specific seat location.
By using the app, audience members enabled the TORUK app operators to issue a series of commands to their devices via the open port 6161. However, due to the app's lack of authentication, potential adversaries on the same public Wi-Fi network are essentially granted the same power. All they have to do was scan the network for the IP addresses of devices with an open port 6161, and then send their own admin-style commands to those devices, explained blog post author and malware researcher Lukas Stefanko.
"...Anyone connected to the same network can send commands to all devices running this app. This makes it apparent that the TORUK app wasn’t designed with security in mind," the blog post states. "If it were, the app would simply generate a unique token for each device to make it impossible to access other devices without any authentication."
Fortunately, the commands made possible via the app are not especially harmful to a device. Commands include remotely adjusting the volume, discovering nearby Bluetooth devices, displaying animations, setting the position of the “Like” Facebook button, and reading or writing to shared preferences that are accessible to the app. Perhaps for this reason, ESET considers the security risk of this app to be only moderate in nature.
Although the curtain has closed on TORUK, users who downloaded the app technically still remain vulnerable to inference by adversaries, albeit only if they are running the app while on an insecure public network where an attacker may be lurking, like those offered by certain hotels, food chains and municipalities. "The port [stays] open until the user deliberately kills the app from the background, because once the user hits the 'Home' or 'Back' button, the app still works in the background," Stefanko told SC Media via email. "So, the user needs to go to recent apps and kill the app’s activity."
According to Google Play statistics, the TORUK app has been installed over 100,000 times. Stefanko says that ESET informed Cirque du Soleil of the vulnerability back in March 2019, but never received a response.
A spokesperson from Montreal, Canada-based Cirque du Soleil supplied the following comment to SC Media: "All applications related to Cirque du Soleil created after 2016 are subject to rigorous development, quality assurance and security processes. This application only concerned the TORUK show and its features were mainly active during the arena performances. As the last performance of this show took place last weekend, the app was removed from the Apple Store and Google Store. Cirque du Soleil has not yet received any notification from its users that they have been potentially affected by the vulnerability issues of the TORUK mobile application."