A mobile app that was designed to enhance the experience of watching a touring Cirque du Soleil show left audience members’ devices vulnerable to an attack by others sharing the same public Wi-Fi network, according to a blog post today by researchers at ESET.

The app corresponded to the show TORUK – The First Flight, an Avatar-themed act that ended its five-year run on June 30 with a final show in London. It not only offered backstage photos, videos and other content, but it also synchronized their devices with the performance to play audiovisual effects based on the user’s specific seat location.

By using the app, audience members enabled the TORUK app operators to issue a series of commands to their devices via the open port 6161. However, due to the app’s lack of authentication, potential adversaries on the same public Wi-Fi network are essentially granted the same power. All they have to do was scan the network for the IP addresses of devices with an open port 6161, and then send their own admin-style commands to those devices, explained blog post author and malware researcher Lukas Stefanko.

“…Anyone connected to the same network can send commands to all devices running this app. This makes it apparent that the TORUK app wasn’t designed with security in mind,” the blog post states. “If it were, the app would simply generate a unique token for each device to make it impossible to access other devices without any authentication…”

Read the Full Article at SC Magazine