A great show is now history, as is its insecure mobile app

With the end of Toruk, the famous Cirque du Soleil show, also ends a digital experiment that made your mobile device vulnerable.

One of the famous Cirque du Soleil shows, Toruk, had its final performance in London on June 30th, 2019. This event, while unfortunate for the show’s fans, brought one positive effect: the mobile app named “TORUK – The First Flight” (for both iOS and Android operating systems) will no longer be marketed to the show’s visitors.

Hopefully, as there is no reason for the app to exist, Cirque du Soleil will soon pull this app from the respective app stores.

The TORUK app was a means for the audience to be part of the show with synchronized audiovisual effects on their mobile devices (synchronized means the app considers where the user’s seat is located).

Fig. 1 – Cirque du Soleil promoted the “TORUK – The First Flight” app on their website.

While the app may have brought value to those who wished to enhance their experience of the show (although many reviewers on Google Play question its benefits), it was a bit weaker on the security side.

The security issues

When the app is running, it opens a local port so that it is possible to remotely change volume settings, discover nearby Bluetooth devices if Bluetooth is on, display animations, set the position of the “Like” Facebook button on the device, and read or write to shared preferences that are accessible to the app – see the video demo.

The problem for the app’s user is that anyone who is connected to the same network – think of free Wi-Fi networks in hotels, shopping malls, coffee shops or airports – has the same possibilities as the app operators had at the show.

An adversary can scan the network and get the IP addresses of devices with the opened port – in this case the app opens port 6161 on localhost; the port is always the same:

As a result, anyone connected to the same network can send commands to all devices running this app. This makes it apparent that the TORUK app wasn’t designed with security in mind. If it were, the app would simply generate a unique token for each device to make it impossible to access other devices without any authentication.

Due to the nature of the app, none of the commands an attacker can execute should be able to do serious harm to the victim (assuming the app does not have any further vulnerabilities¹). However, a device with this app installed remains vulnerable after the show, so its users may experience an unpleasant surprise at any point in the future if connected to a public network.

Given the vulnerability of the TORUK app, those who installed it should uninstall it as soon as it’s no longer needed – which is a highly recommended behavior for all single-purpose apps.

The TORUK app has over 100,000 installs on Google Play. However, it has not been updated since 2016. We notified Cirque du Soleil, the app’s developer, about the security issues we detected in March 2019 and, after having received no response, again on May 21st.  After having learned about the sunset of the TORUK show, we decided to postpone the publication of our findings. We weighted the security risks connected with the app, which we consider moderate, against the negative effect of harming the show after five years of touring the globe and with only a few performances to go.

written by Lukas Stefanko, ESET

¹This article is based on a brief analysis; no penetration test was conducted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s