Is There Anything Holy Left in This World? A Security Flaw Is Found in a New Smart Rosary

In what some would consider a strange attempt to get more people interested in religion, the Catholic Church announced last week that it's launching a brand new smart rosary. The device costs a little over $100, and it's activated when the user makes the sign of the cross. As you might have guessed, it's accompanied by a mobile application, which, in addition to some fitness data, also gives people numerous options that help them improve their praying habits. Apparently, the ultimate goal is to get tech-savvy people to pray more often.

How successful it will be in doing that is for time to tell. What we do know at this point, however, is that whoever developed the concept didn't seem to have security very high on their priority list. Researchers downloaded the app immediately after October 17's official announcement, and within minutes, they found a rather glaring security hole.

The account takeover vulnerability was independently discovered by a French security expert going by the Twitter handle @fs0c131y and by a team of researchers from Fidus Information Security. The Vatican was informed immediately, and a patch was released on the following day. The more you read about the vulnerability, however, the more you're left with the sense that the developers didn't really think the whole system through.

A less-than-perfect system to start with

Like almost everything connected to the internet nowadays, using the smart rosary's features to the fullest requires an account. Users can either log in using their Facebook or Google profiles, or they can opt to create a dedicated eRosary account. The problems are with the second option.

Instead of a password, users log in with a four-digit PIN code. This is the only thing protecting their accounts, and in this day and age, it simply isn't strong enough, especially when you consider the fact that, as Fidus' researchers pointed out, the app's developers didn't put any rate-limiting on the API. The only thing that could hamper the hackers' progress is the fact that users are restricted to one login attempt per minute.

In other words, a brute-force attack is not very unlikely, especially if the cybercriminal is determined enough. When you take a look at some of the other characteristics of the account creation mechanism, however, things start to get worse.

A user doesn't get to pick their own PIN. Instead, they receive one via email, and they need to enter it into the app in order to continue with the registration. This is hardly an ideal situation for multiple reasons. For one, the fact that PINs are flying around in plain text does raise some questions around how they are stored by the app. And even if you forget about this, you can't ignore the fact that email has never been considered the safest means of communication, especially when login data is involved. Unfortunately, the user's inbox wasn't the only place where the PIN would land.

A design flaw in the API allowed a full account takeover

The experts found out that after users entered their email address and clicked "Next", they triggered an API function called "resend_pin" (which, presumably, is also used when the PIN is forgotten). This would send the PIN to the user's email, which was expected (if not ideal) behavior, but it would also send it back as an API response, which wasn't. In other words, an attacker had the chance to see the PIN without having access to the user's inbox.

You might think that the eRosary account isn't the most important personal profile users could have, and indeed, the lack of any payment information or things like Social Security Numbers and ID documents does make a potential breach a bit easier to swallow. Nevertheless, the affected accounts still hold details like phone numbers, dates of birth, height, weight, etc., so the vulnerability shouldn't be taken lightly.

The patch was released quickly

If there's anything positive we can single out from all this, it would be the Church's relatively quick reaction. The researchers said that the people responsible for the app acted professionally, and the mere fact that the hole was plugged within 24 hours of the initial disclosure speaks volumes about how the problem was handled. Unfortunately, there are still some questions.

Fidus' experts noted that the plaintext PIN in the API response has been swapped for an 8-digit string, which is likely an obfuscated version of the real thing. As of right now, the researchers don't know how to crack the obfuscation algorithm, but their report does suggest that reverse-engineering it could be a matter of time.

All in all, from a security standpoint, the Vatican's latest foray into the digital world is off to a shaky start. Let's hope it doesn't get any bumpier.