Researchers needed only 10 minutes to find serious vulnerabilities in the Vatican’s eRosary bracelet. The good news is that the issues were fixed in a couple of days, although the prayer gadget is still being prodded for security problems.
The bracelet can be used to take over its accompanying account app. Researchers found the issues in less than ten minutes, showing how unsafe the prayer accessory is.
The eRosary is described as a tool that helps people learn how to pray the rosary, and uses Bluetooth connectivity. People use a touch sensor to perform the cross sign to activate the device. Of course, it needs a mobile app and has to communicate with it, like many devices in the IoT ecosystem.
The ClickToPray eRosary and the app are secured with Google Authentication, Facebook Authentication and email login. The problem is that it uses a PIN and not a password.
“The 4 digit PIN controls access to the application and upon resetting a user account, is sent to the registered email,” explained the Fidus researchers. “When the application requests a PIN to be sent it calls “resend_pin”, which sends the pin to the email but catastrophically also returns the PIN the API’s response; making it possible for anybody to obtain the 4 digit PIN being sent WITHOUT email access.”
The data compromised by the hack included the username, weight, height, gender, date of birth, and phone number. A few limited fitness features are implemented as well on the eRosary.
After the researchers notified the vendor, the vulnerabilities were patched within 36 hous, which is surprisingly quick. But even after the device’s security was strengthened, the researchers think it’s not enough and continue to look for ways to compromises it.
The Vatican’s eRosary device was launched a week ago, and it has only a few thousand users, judging by the number of downloads for the accompanying app.