The Cirque du Soleil show Toruk mobile app which was developed for the show which held its final performance on June 30 has made users’ mobile devices vulnerable. The app, named “TORUK – The First Flight,” provided a means for the audience to be part of the show via audiovisual effects generated on their mobile devices.
“It appears that the TORUK app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators,” explains Lukáš Štefanko, the ESET security researcher who analysed the app.
The “TORUK – The First Flight” app has over 100,000 installs on Google Play; there is also a version for iOS. With the end of the TORUK show, the app is no longer being marketed, and Cirque du Soleil’s staff said they would pull it from both the Android and Apple official app stores.
When this app is running, it opens a local port so that it is possible to remotely change volume settings, discover nearby Bluetooth devices if Bluetooth is on, display animations, set the position of the “Like” Facebook button on the device, and read or write to shared preferences that are accessible to the app.
“The problem is that the app has no authentication protocol in place. An adversary can scan the network and get the IP addresses of devices with the defined port opened – port 6161 – and send commands to all devices running the app,” explains Štefanko.
According to Štefanko, making the app resistant against this type of attack would have been simple. “If the app generated a unique token for each device, then it would be impossible to access all the devices en masse, without any authentication.”
After the show, all the devices with this app installed remain vulnerable, so its users may experience unpleasant surprises at any point in the future if they are connected to a public network.
“Those who installed this app should uninstall it immediately. By the way, we highly recommend doing that with all single-purpose apps,” concludes Štefanko.