The Vatican has been forced to patch security holes in its new iOS and Android-compatible ‘smart rosary’ just hours after launching the device.
Driving the news
The Pope’s Worldwide Prayer Network launched the eRosary last Tuesday in a press conference in the Vatican.
A Vatican News story described the ornament as “an interactive, smart and app-driven wearable device that serves as a tool for learning how to pray the rosary for peace in the world”.
“It can be worn as a bracelet and is activated by making the sign of the cross. It is synchronized with a free app of the same name, which allows access to an audio guide, exclusive images and personalized content about the praying of the Rosary”, Vatican News said.
But as The Register reports, within hours researchers at Fidus Information Security uncovered “embarrassing” vulnerabilities in the security of the eRosary, developed by Taiwan-based tech company GadgTek Inc (GTI).
“One of our researchers decided to check out the code, and in just 10 minutes found some glaring issues”, Andrew Mabbitt, founder of Fidus, told The Register.
“It looks like someone’s taken a fitness band app and bodged it together with existing code that leaves any user account hackable”, he denounced.
Concretely, the flaws Fidus researchers uncovered were twofold: a weak four-digit PIN that left accounts open to brute force attacks, on the one hand, and a vulnerability in the API code that meant hackers could get access to passwords with just an account email, on the other.
While the eRosary accounts don’t contain financial data, The Register said they do hold personally-identifying information such as names and physical characteristics, which could be damaging to those Catholics who acquire the device in countries where Christians are persecuted.
Why it matters
After alerts from Fidus and other cyber-security experts, the Pope’s Worldwide Prayer Network fixed both the brute-force and the API issues on the eRosary within days, “but in a really convoluted way”, Mabbitt said.
Since the eRosary was only announced this week, only a few thousand people are thought to be using it so far.
On the Google Play Store, the app currently has a rating of just 3.8 stars out of 5.
But the security issues are not the only problems the eRosary has experienced in its short life to date.
Eyebrows were raised both at its steep $109 (99 euro) price tag, and also its focus away from the traditional Glorious, Joyful, Luminous and Sorrowful rosary mysteries to new themes for prayer, including care for the environment, migrants and refugees, vocations, and young people.