Last week, the Vatican announced it was getting into the Internet of Things with an “eRosary.” Naturally, it didn’t take long for someone to find a major security flaw.
The Click to Pray eRosary is a smart device that functions as a sort of Fitbit for prayer — and also as just a plain ol’ Fitbit, kind of. It’s activated when you make the sign of the cross, and tracks your steps, calories, and location.
When you wish to pray, you can use the Click to Pray app to pick a particular rosary. According to the Vatican’s press release, “Once the prayer begins, the smart rosary shows the user’s progress throughout the different mysteries and keeps track of each rosary completed.” The app, where the Pope apparently maintains a profile, “connects thousands of people around the globe to pray every day. The Click To Pray eRosary is also intended to accompany him in his daily and monthly intentions in order to build a world with the taste of the Gospel.”
That sounds harmless enough, but at least one security researcher discovered a security flaw in the app over the weekend. Fidus Information Security, a UK firm, apparently discovered the vulnerability within minutes of the app launching. Security researcher Elliot Alderson demonstrated it to CNET. In lieu of a password, the app sends a PIN to your registered email address, which you use to log in.
Less than 5 minutes into looking at the eRosary application our research team has developed a full account takeover exploit. Can obtain e-mails, phone numbers, height, weight and other personal data. This has been reported. Luckily it's so new it's not in the wild yet. pic.twitter.com/XpqYqDpgC2
— Fidus InfoSecurity (@FidusInfoSec) October 17, 2019
Trouble is, the PIN code can also be seen by anyone who could see the app traffic, as it would be contained in the API’s response. So you could, in theory, see the PIN without needing access to the email account. Requesting a PIN also apparently logs you out of your session in the app, meaning a person could be kicked out and not be able to log back in because someone’s already using a requested PIN. The person who accessed your account would be able to see any information there, including your prayers, your steps, etc.
According to CNET, the issue has now been fixed. Alderson apparently had to pester the Vatican about the issue, but eventually someone listened. The Register reports both Alderson and Fidus reported the vulnerability at roughly the same time — which is, again, within a day of the app becoming widely available.
Elliot found a vulnerability in a newly-released app loosely connected to my office.
He was persistent in finding somebody in the Vatican with whom he could discuss his findings.
He was patient with our dev team.
He provided everything we needed to fix the vulnerability. https://t.co/CVn07tOEDF
— Fr. Robert R. Ballecer, SJ (@padresj) October 18, 2019
I’m sure there’s some sort of irony in an item that’s supposed to help the faithful feel more comforted and secure turning out to be kind of insecure itself. Still, it’s not that unusual for a wearable, and it’s good to know the situation’s been attended to. I’m not optimistic enough to think that’s the last we’ll hear of something like this happening, though.