The Vatican recently launched a holey wearable app onto the Internet of Things (IoT). The Church’s wearable IoT device, Click To Pray eRosary, is a bracelet of rosary beads along with a smart cross. The device is part of the Vatican’s mission to pray for peace. But the app is bedeviled by what sources call a “significant cybersecurity flaw.”
The $110 device syncs with Click to Pray, the official prayer app of the Pope’s Worldwide Prayer Network. It tracks the user’s progress as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.
The Verge reports the gadget, designed by GadgeTek, a division of Acer, and pairs with an iOS or Android app you can download. The device can be bought through Amazon Italy or , the specs include:
Six-axis inertial sensing- Bluetooth 5.0
- IP67 water and dust resistance
- Wireless charging
- a 15mAh lithium-ion battery
- 10 black agate beads and 11 hematite beads
The “smart cross” stores all technical data. The app, however, appears to handle all of the actual user-interaction — the “smart cross,” does not appear to interact directly with the user. Engadget claims that the device also tracks health-related information. It’s basically an adapted fitness tracker, and it still doubles as a fitness tracker.
The Click To Pray eRosary is an interactive, smart and app-driven wearable device that serves as a tool for learning how to pray the rosary for peace in the world. It can be worn as a bracelet and is activated by making the sign of the cross. It is synchronized with a free app of the same name, which allows access to an audio guide, exclusive images and personalized content…
Its target audience is:
the peripheral frontiers of the digital world where the young people dwell (rb- Maybe something got lost in translation)
The Catholic Church proved it is merely mortal when it comes to the Internet of Things. Like Most things IoT it was released with security holes. Sopho’s Naked Security blog explains that Fidus Information Security discovered a flaw in the prayer app’s authentication mechanism. The pious can safely log in via Google and Facebook but in the good catholic tradition, any alternatives cause issues.
The flaw rises when a user resets their account using the Click to Pray app. it makes an API call to the server, which then sends the PIN to the user’s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user’s PIN without having access to their email.
The researchers say they used this method to easily log in and obtained phone numbers, height, weight, gender, and birth dates. CNet says the Android version of the app also asks for access to location data and permissions to make calls.
Also, there was no limit to the number of login attempts, which is a dream for any hacker who wants to make automated, or brute force, attempts to break in.
Security researcher Elliot Alderson not only found the eRosary vulnerability, but he also reported it to the Vatican first. And of course, the Vatican respond via Twitter with appreciation. The Vatican’s representative, a self-described “Digital Jesuit in Rome,” Father Robert Ballecer, understood the significance of having a security researcher attempting to contact the Vatican.
The church’s developers reportedly patched the eRosary within 24 hours.
rb-
The quick response by the Vatican is more than we can say for most organizations. So when it comes to the security of the Vatican’s new wearable device, it’s a good thing the Digital Jesuit is on the team.
They moved pretty fast for an organization that took 350 years to forgive Galileo.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.