Cirque du Soleil app gives attackers same admin rights as operators

The developers of the app did not implement any form of authentication.

A Cirque du Soleil mobile application developed for the Toruk show opened up every user's device to exploit by allowing commands to be sent to every user in the crowd.

On Monday, cybersecurity researchers from ESET said the "Toruk - The First Flight" application, designed to boost crowd interaction through audiovisual effects, was not designed with security in mind. 

The Toruk app has over 100,000 installs on Google Play, is also available on iOS, and has not received any form of update since 2016. 

Upon examination, ESET researcher Lukáš Štefanko found that "anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators."

The app has no authentication protocols in place. As a result, an open port -- port 6161 -- could be exploited by attackers to remotely control an app running Toruk, including tampering with volume settings, displaying content, forcing the discovery of nearby Bluetooth devices, and to read or write to shared preferences which the app is able to access. 

CNET: Former Equifax exec gets 4 months in prison for insider trading after breach

An attacker could perform a scan to harvest the IP addresses of vulnerable devices, and while the mischief they could cause is limited, all it would have taken for the app to generate a unique token for each device to revoke this mass access without the need for any form of authentication. 

ESET attempted to reach out to Cirque du Soleil in March but did not receive a response. The researchers tried again in May, only to be met with radio silence.

See also: 25 Android smartphone models contain severe vulnerabilities off the shelf

As the Toruk show ended its production run at the end of June, the researchers decided to wait until July to reveal their findings. The application is no longer needed and so should be uninstalled immediately -- a worthwhile security practice that should be applied to any single-use or purpose mobile applications. 

TechRepublic: How to set up multi-factor authentication for an IAM user in AWS

However, Cirque du Soleil does intend to pull the app from Google Play and Apple App Store now the show is over. 

'We weighted the security risks connected with the app, which we consider moderate, against the negative effect of harming the show after five years of touring the globe and with a few performances to go," the team said. 

ZDNet has reached out to Cirque du Soleil and will update if we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0