Last week, the Vatican announced it was jumping into the Internet of Things with an “eRosary.” Naturally, it didn’t take long for someone to find a major security flaw.
The Click to Pray eRosary is a smart device that works like a kind of Fitbit for prayer – and also like just an old Fitbit, sort of. It is activated when you make the sign of the cross and tracks your steps, calories and position.
When you want to pray, you can use the Click to Pray app to choose a particular rosary. According to the Vatican press release, “Once the prayer has started, the smart rosary shows the user’s progress through the various mysteries and keeps track of each completed rosary. The app, where the pope apparently maintains a profile, “connects thousands of people around the world to pray every day. The Click To Pray eRosary is also meant to accompany him in his daily and monthly intentions to build a world according to the gospel.
It sounds harmless enough, but at least one security researcher discovered a security flaw in the app over the weekend. Fidus Information Security, a British firm, apparently discovered the vulnerability within minutes of launching the app. Security researcher Elliot Alderson demonstrated this to CNET. Instead of a password, the app sends a PIN to your registered email address, which you use to log in.
Less than 5 minutes after looking at the eRosary app, our research team developed a full account takeover exploit. Can get emails, phone numbers, height, weight and other personal data. It has been reported. Fortunately, it is so new that it is not yet in the wild. pic.twitter.com/XpqYqDpgC2
— Fidus InfoSecurity (@FidusInfoSec) October 17, 2019
The problem is that the PIN can also be seen by anyone who might see the application traffic, since it would be contained in the API response. So you could, in theory, see the PIN code without needing to access the email account. Asking for a PIN also apparently logs you out of your session in the app, meaning someone could be kicked and not be able to log back in because someone is already using a requested PIN. Whoever accessed your account will be able to see all the information there, including your prayers, steps, etc.
According to CNET, the issue has now been resolved. Alderson apparently had to nag the Vatican about it, but eventually someone listened. The Registry reports that Alderson and Fidus reported the vulnerability around the same time, which is, again, less than a day after the app became widely available.
Elliot found a vulnerability in a recently released application loosely connected to my desktop.
He persisted in finding someone in the Vatican with whom he could discuss his findings.
He was patient with our development team.
It provided everything we needed to fix the vulnerability. https://t.co/CVn07tOEDF
— Fr. Robert R. Ballecer, SJ (@padresj) October 18, 2019
I’m sure there’s some kind of irony in an article that’s supposed to help worshipers feel more comforted and safe, proving itself somehow insecure. Still, that’s not all that unusual for a laptop, and it’s good to know the situation has been sorted out. I’m not optimistic enough to think this is the last we’ll hear of something like this.