Recent News - ESET discovers vulnerability in a Cirque du Soleil mobile app


2019-07-01

The famous Cirque du Soleil show Toruk, which held its final performance last night – on June 30 – was enhanced with a mobile app that made users’ mobile devices vulnerable. The app, named “TORUK – The First Flight,” provided a means for the audience to be part of the show via audiovisual effects generated on their mobile devices.

“It appears that the TORUK app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators,” explains Lukáš Štefanko, the ESET security researcher who analyzed the app.

The “TORUK – The First Flight” app has over 100,000 installs on Goggle Play; there is also a version for iOS. With the end of the TORUK show, the app is no longer being marketed, and Cirque du Soleil’s staff said they would pull it from both the Android and Apple official app stores.  

Cirque du Soleil promoted the “TORUK – The First Flight” app on their website
When this app is running, it opens a local port so that it is possible to remotely change volume settings, discover nearby Bluetooth devices if Bluetooth is on, display animations, set the position of the “Like” Facebook button on the device, and read or write to shared preferences that are accessible to the app.

“The problem is that the app has no authentication protocol in place. An adversary can scan the network and get the IP addresses of devices with the defined port opened – port 6161 – and send commands to all devices running the app,” explains Štefanko.

According to Štefanko, making the app resistant against this type of attack would have been simple. “If the app generated a unique token for each device, then it would be impossible to access all the devices en masse, without any authentication.”

After the show, all the devices with this app installed remain vulnerable, so its users may experience unpleasant surprises at any point in the future if they are connected to a public network. 

“Those who installed this app should uninstall it immediately. By the way, we highly recommend doing that with all single-purpose apps,” concludes Štefanko.  

 
For more a detailed analysis, read Lukáš Štefanko’s 
blogpost “A great show is now history, as is its insecure mobile app” at ESET Android App Watch.

 



About Version 2 Limited
 

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Previous News Next News

Return to the previous page