A Cirque du Soleil mobile app that was used to provide additional audiovisual effects during performances has been found to have significant vulnerabilities that put audience members at risk.
The app, which was designed for the Avatar-inspired show Toruk, was found to have vulnerabilities by Lukáš Štefanko, a security researcher at cybersecurity software provider ESET.
The company has advised Cirque du Soleil about the issues, and the entertainment group has said it plans to pull the app from both the Android and iOS stores now the performance has ended its run.
Štefanko found that the app lacked basic security protocols that meant anyone connected to the same network could access an audience member’s device and make changes to it.
“The problem is that the app has no authentication protocol in place. An adversary can scan the network and get the IP addresses of devices with the defined port opened – port 6161 – and send commands to all devices running the app,” he said.
“It appears that the Toruk app wasn’t designed with security in mind. As a result, anyone who was connected to the network during the show had the same admin possibilities as the Cirque du Soleil operators.”
Cirque du Soleil mobile app users remain at risk
The app, which has been installed over 100,000 times on Android alone, had vulnerabilities that makes it possible for a malicious user to connect affected phones to other nearby Bluetooth devices, display animations and read and write to shared preferences that the app has been given permission to access. It also allows a malicious actor to remotely change volume settings or ‘Like’ pages or posts on Facebook.
While these seem like relatively minor threats, they open the door for a host of malicious intrusions, putting users of the Cirque du Soleil mobile app at serious risk.
And notably, the vulnerability is not specific to the show: anyone with the app still installed remains exposed.
“Those who installed this app should uninstall it immediately,” said Štefanko. “By the way, we highly recommend doing that with all single-purpose apps.”