The Canadian entertainment company and the largest theatrical producer in the world launched the app to promote the show TORUK - The First Flight, an Avatar-themed act that ended its five-year run on 30 June with a final show in London.
It not only offered backstage photos, videos and other content, but it also synchronised their devices with the performance to play audiovisual effects based on the user’s specific seat location.
By using the app, audience members enabled the TORUK app operators to issue a series of commands to their devices via the open port 6161. However, due to the app’s lack of authentication, potential adversaries on the same public Wi-Fi network are essentially granted the same power.
All they have to do was scan the network for the IP addresses of devices with an open port 6161, and then send their own admin-style commands to those devices, explained blog post author and malware researcher Lukas Stefanko.
"…Anyone connected to the same network can send commands to all devices running this app. This makes it apparent that the TORUK app wasn’t designed with security in mind," the blog post states. "If it were, the app would simply generate a unique token for each device to make it impossible to access other devices without any authentication."
Fortunately, the commands made possible via the app are not especially harmful to a device. Commands include remotely adjusting the volume, discovering nearby Bluetooth devices, displaying animations, setting the position of the "Like" Facebook button, and reading or writing to shared preferences that are accessible to the app. Perhaps for this reason, ESET considers the security risk of this app to be only moderate in nature.
Although the curtain has closed on TORUK, users who downloaded the app technically still remain vulnerable to inference by adversaries, albeit only if they are running the app while on an insecure public network where an attacker may be lurking, like those offered by certain hotels, food chains and municipalities.
According to Google Play statistics, the TORUK app has been installed over 100,000 times. Stefanko says that ESET informed Cirque du Soleil of the vulnerability back in March 2019, but never received a response. SC Media has reached out to Montreal, Canada-based Cirque du Soleil for comment.
This article was originally published on SC Media US.