Vatican launches smart rosary, someone already found a security flaw

Vatican launches smart rosary, someone already found a security flaw
Credit: Vatican News

Last week, the Vatican announced it was getting into the Internet of Things with an “eRosary.” Naturally, it didn’t take long for someone to find a major security flaw.

The Click to Pray eRosary is a smart device that functions as a sort of Fitbit for prayer — and also as just a plain ol’ Fitbit, kind of. It’s activated when you make the sign of the cross, and tracks your steps, calories, and location.

When you wish to pray, you can use the Click to Pray app to pick a particular rosary. According to the Vatican’s press release, “Once the prayer begins, the smart rosary shows the user’s progress throughout the different mysteries and keeps track of each rosary completed.” The app, where the Pope apparently maintains a profile, “connects thousands of people around the globe to pray every day. The Click To Pray eRosary is also intended to accompany him in his daily and monthly intentions in order to build a world with the taste of the Gospel.”

That sounds harmless enough, but at least one security researcher discovered a security flaw in the app over the weekend. Fidus Information Security, a UK firm, apparently discovered the vulnerability within minutes of the app launching. Security researcher Elliot Alderson demonstrated it to CNET. In lieu of a password, the app sends a PIN to your registered email address, which you use to log in.

Trouble is, the PIN code can also be seen by anyone who could see the app traffic, as it would be contained in the API’s response. So you could, in theory, see the PIN without needing access to the email account. Requesting a PIN also apparently logs you out of your session in the app, meaning a person could be kicked out and not be able to log back in because someone’s already using a requested PIN. The person who accessed your account would be able to see any information there, including your prayers, your steps, etc.

According to CNET, the issue has now been fixed. Alderson apparently had to pester the Vatican about the issue, but eventually someone listened. The Register reports both Alderson and Fidus reported the vulnerability at roughly the same time — which is, again, within a day of the app becoming widely available.

I’m sure there’s some sort of irony in an item that’s supposed to help the faithful feel more comforted and secure turning out to be kind of insecure itself. Still, it’s not that unusual for a wearable, and it’s good to know the situation’s been attended to. I’m not optimistic enough to think that’s the last we’ll hear of something like this happening, though.

Read next: JBL L100 Classic Review: An iconic '70s speaker revived as a modern standout