{"id":110927,"date":"2019-10-27T13:43:02","date_gmt":"2019-10-27T17:43:02","guid":{"rendered":"http:\/\/rbach.net\/index.php\/"},"modified":"2021-08-19T14:58:09","modified_gmt":"2021-08-19T18:58:09","slug":"church-wearable-device-very-holey","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/church-wearable-device-very-holey\/","title":{"rendered":"Church Wearable Device Very Holey"},"content":{"rendered":"<p><a href=\"https:\/\/web.archive.org\/web\/20221206154149\/http:\/\/inventorspot.com\/articles\/internet_things_exceeds_internet_people_infographic\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-111170\" title=\"Church Wearable Device Very Holey\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/iot_logo-8.jpg?resize=95%2C85&#038;ssl=1\" alt=\"Church Wearable Device Very Holey\" width=\"95\" height=\"85\" \/><\/a>The <strong>Vatican<\/strong> recently launched a holey wearable app onto the Internet of Things (IoT). The Church&#8217;s wearable IoT device, <a href=\"https:\/\/clicktopray.org\/click-to-pray-erosary-the-new-smart-rosary-to-pray-for-peace-in-the-world\/\" target=\"_blank\" rel=\"noopener noreferrer\">Click To Pray eRosary<\/a>, is a bracelet of rosary beads along with a <strong>smart cross. <\/strong>The device is part of the Vatican\u2019s mission to pray for peace. But the app is bedeviled by what sources call a <strong>\u201csignificant cybersecurity flaw.\u201d<\/strong><\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20220817042543\/https:\/\/cruxnow.com\/vatican\/2016\/12\/20\/looking-back-2016-year-surprises-pope-francis\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111171\" title=\"Pope\u2019s Worldwide Prayer Network\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/pope-e1572194494124-150x104.jpg?resize=100%2C69&#038;ssl=1\" alt=\"Pope\u2019s Worldwide Prayer Network\" width=\"100\" height=\"69\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/pope-e1572194494124.jpg?resize=150%2C104&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/pope-e1572194494124.jpg?resize=75%2C52&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/pope-e1572194494124.jpg?w=565&amp;ssl=1 565w\" sizes=\"auto, (max-width: 100px) 100vw, 100px\" \/><\/a>The $110 device syncs with <strong>Click to Pray<\/strong>, the official <strong>prayer app<\/strong> of the Pope\u2019s Worldwide Prayer Network. It <strong>tracks the user\u2019s progress<\/strong> as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.<\/p>\n<p><em><a href=\"https:\/\/www.theverge.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">The Verge<\/a><\/em> <a href=\"https:\/\/www.theverge.com\/circuitbreaker\/2019\/10\/17\/20920101\/click-to-pray-e-rosary-catholic-church-vatican-prayer-beads\" target=\"_blank\" rel=\"noopener noreferrer\">reports<\/a> the gadget, designed by GadgeTek, a division of <strong>Acer,<\/strong> and pairs with <a href=\"https:\/\/apps.apple.com\/app\/id1477960251\">an iOS<\/a> or <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.clicktoprayerosary\">Android app<\/a> you can download. The device can be bought through <a href=\"https:\/\/www.amazon.it\/dp\/B07YVKSL23?tag=theverge02-20\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Amazon Italy<\/a> or , the specs include:<\/p>\n<ul>\n<li id=\"RVz965\"><a href=\"https:\/\/web.archive.org\/web\/20191017200759\/https:\/\/www.geek.com\/tech\/vatican-unveils-click-to-pray-wearable-rosary-device-1807536\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111172\" title=\"eRosary\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/eRosary-e1572197028277-133x150.jpg?resize=75%2C84&#038;ssl=1\" alt=\"eRosary\" width=\"75\" height=\"84\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/eRosary-e1572197028277.jpg?resize=133%2C150&amp;ssl=1 133w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/eRosary-e1572197028277.jpg?resize=67%2C75&amp;ssl=1 67w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/eRosary-e1572197028277.jpg?w=500&amp;ssl=1 500w\" sizes=\"auto, (max-width: 75px) 100vw, 75px\" \/><\/a>Six-axis inertial sensing<\/li>\n<li id=\"XPfXkS\">Bluetooth 5.0<\/li>\n<li id=\"QCJxBT\">IP67 water and dust resistance<\/li>\n<li id=\"1Eu6Ti\">Wireless charging<\/li>\n<li id=\"aNhtMx\">a 15mAh lithium-ion battery<\/li>\n<li id=\"an5WWw\">10 black agate beads and 11 hematite beads<\/li>\n<\/ul>\n<p><span id=\"intelliTXT\"> The \u201csmart cross\u201d stores all technical data. The app, however, appears to handle all of the actual user-interaction \u2014 the \u201csmart cross,\u201d does not appear to interact directly with the user. <a href=\"https:\/\/www.engadget.com\/2019\/10\/16\/vatican-click-to-pray-wearable-rosary\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Engadge<\/em>t<\/a> claims that the device also <strong>tracks health-related information<\/strong>. <\/span>It\u2019s basically an adapted fitness tracker, and it still doubles as a fitness tracker. <picture class=\"c-picture\" data-cid=\"site\/picture_element-1572039224_5675_81660\" data-cdata=\"{&quot;asset_id&quot;:19297648,&quot;ratio&quot;:&quot;*&quot;}\"><\/picture>The<em><a href=\"https:\/\/www.vaticannews.va\/\" target=\"_blank\" rel=\"noopener noreferrer\"> Vatican News<\/a><\/em> <a href=\"https:\/\/www.vaticannews.va\/en\/vatican-city\/news\/2019-10\/click-pray-rosary-smart-digital-device-world-peace.html\" target=\"_blank\" rel=\"noopener noreferrer\">explained<\/a> the Church&#8217;s moved to the IoT like this:<\/p>\n<p style=\"text-align: justify; padding-left: 30px;\"><em>The Click To Pray eRosary is an interactive, smart and app-driven wearable device that serves as a tool for learning how to pray the rosary for peace in the world. It can be worn as a bracelet and is activated by making the sign of the cross. It is synchronized with a free app of the same name, which allows access to an audio guide, exclusive images and personalized content&#8230;<br \/>\n<\/em><\/p>\n<p>Its target audience is:<\/p>\n<p style=\"text-align: justify; padding-left: 30px;\"><em>the peripheral frontiers of the digital world where the young people dwell <\/em>(<strong>rb-<\/strong> Maybe something got lost in translation)<em><br \/>\n<\/em><\/p>\n<p>The Catholic Church proved it is merely mortal when it comes to the<strong> Internet of Things<\/strong>. Like Most things IoT it was released with<strong> security holes<\/strong>. <a href=\"https:\/\/web.archive.org\/web\/20240415214827\/https:\/\/www.sophos.com\/en-us\" target=\"_blank\" rel=\"noopener noreferrer\">Sopho\u2019s<\/a> <a href=\"https:\/\/nakedsecurity.sophos.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Naked Security<\/em><\/a> blog <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/10\/22\/vatican-developers-commit-cardinal-coding-sin\/\" target=\"_blank\" rel=\"noopener noreferrer\">explains<\/a> that <a href=\"https:\/\/web.archive.org\/web\/20230724070850\/https:\/\/fidusinfosec.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Fidus Information Security<\/a> <a href=\"https:\/\/web.archive.org\/web\/20230629060451\/https:\/\/fidusinfosec.com\/clicktopray-erosary-account-takeover\/\" target=\"_blank\" rel=\"noopener noreferrer\">discovered a flaw<\/a> in the prayer app\u2019s authentication mechanism. The pious can safely log in via Google and Facebook but in the good catholic tradition, any alternatives cause issues.<\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20210228010545\/http:\/\/www.woodchests.com\/65-Giant-Brass-Padlock_p_80.html\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111173\" title=\"flaw in authentication mechanism\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/lock_key_old-1.jpg?resize=95%2C81&#038;ssl=1\" alt=\"flaw in authentication mechanism\" width=\"95\" height=\"81\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/lock_key_old-1.jpg?resize=150%2C128&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/lock_key_old-1.jpg?resize=75%2C64&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/lock_key_old-1.jpg?w=360&amp;ssl=1 360w\" sizes=\"auto, (max-width: 95px) 100vw, 95px\" \/><\/a>The flaw rises when a user <strong>resets their account<\/strong> using the Click to Pray app. it makes an API call to the server, which then sends the PIN to the user\u2019s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the u<strong>ser\u2019s PIN without having access to their email<\/strong>.<\/p>\n<p>The researchers say they used this method to easily log in and obtained<strong> phone numbers, height, weight, gender, and birth dates<\/strong>. <a href=\"https:\/\/www.cnet.com\/news\/vaticans-wearable-rosary-gets-fix-for-app-flaw-allowing-easy-hacks\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>CNet<\/em> says<\/a> the Android version of the app also asks for access to <strong>location data<\/strong> and permissions to <strong>make calls<\/strong>.<\/p>\n<p>Also, there was no limit to the number of login attempts, which is a dream for any hacker who wants to make automated, or <strong>brute force<\/strong>, attempts to break in.<\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20231003174428\/http:\/\/www.alwaysrent-nj.com\/product\/hammers__electric\/65-paving-breaker\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111174\" title=\"brute force attack\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/jackhammer-1.jpg?resize=95%2C95&#038;ssl=1\" alt=\"brute force attack\" width=\"95\" height=\"95\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/jackhammer-1.jpg?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/jackhammer-1.jpg?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/jackhammer-1.jpg?w=220&amp;ssl=1 220w\" sizes=\"auto, (max-width: 95px) 100vw, 95px\" \/><\/a>Security researcher Elliot Alderson not only found the eRosary vulnerability, but he also reported it to the Vatican first.\u00a0 And of course, the Vatican respond via Twitter with appreciation. The Vatican&#8217;s representative, a self-described &#8220;Digital Jesuit in Rome,&#8221;\u00a0 Father Robert Ballecer, understood the significance of having a security researcher attempting to contact the Vatican.<\/p>\n<p>The church&#8217;s developers reportedly patched the eRosary <a href=\"https:\/\/www.theregister.co.uk\/2019\/10\/18\/vatican_erosary_insecure\/\" target=\"_blank\" rel=\"noopener noreferrer\">within 24 hours<\/a>.<\/p>\n<p><em><strong>rb-<\/strong><\/em><\/p>\n<p><em><a href=\"https:\/\/www.newscientist.com\/article\/mg13618460-600-vatican-admits-galileo-was-right\/\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111175\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/galileo_square.png?resize=111%2C77&#038;ssl=1\" alt=\"\" width=\"111\" height=\"77\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/galileo_square.png?resize=150%2C104&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/galileo_square.png?resize=75%2C52&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/galileo_square.png?resize=768%2C534&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/galileo_square.png?w=822&amp;ssl=1 822w\" sizes=\"auto, (max-width: 111px) 100vw, 111px\" \/><\/a>The quick response by the Vatican is more than we can say for <a href=\"https:\/\/www.cnet.com\/news\/lawmakers-want-to-stop-a-future-filled-with-smart-devices-and-bad-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">most organizations<\/a>. So when it comes to the security of the Vatican&#8217;s new wearable device, it&#8217;s a good thing the Digital Jesuit is on the team.<\/em><\/p>\n<p><em>They moved pretty fast for an organization that took<a href=\"https:\/\/www.nytimes.com\/1992\/10\/31\/world\/after-350-years-vatican-says-galileo-was-right-it-moves.html\" target=\"_blank\" rel=\"noopener noreferrer\"> 350 years to forgive<\/a> <a href=\"https:\/\/starchild.gsfc.nasa.gov\/docs\/StarChild\/whos_who_level2\/galileo.html\" target=\"_blank\" rel=\"noopener noreferrer\">Galileo<\/a>.<\/em><\/p>\n<h6>Related articles<\/h6>\n<ul>\n<li><a href=\"https:\/\/www.secureworldexpo.com\/industry-news\/business-email-compromise-example-2019\" target=\"_blank\" rel=\"noopener noreferrer\">Catholic Church Sends $1.7 Million to Hackers<\/a> (<a href=\"https:\/\/www.secureworldexpo.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">SecureWorld<\/a>)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Vatican launched a wearable IoT bracelet of rosary beads along with a smart cross that had security flaws<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[832],"tags":[3161,2099,2158,3374,832,944,3375,281],"class_list":["post-110927","post","type-post","status-publish","format-standard","hentry","category-internet-of-things","tag-3161","tag-authentication","tag-fail","tag-fidus-information-security","tag-internet-of-things","tag-iot","tag-prayers","tag-sophos"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/110927","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=110927"}],"version-history":[{"count":13,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/110927\/revisions"}],"predecessor-version":[{"id":130960,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/110927\/revisions\/130960"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=110927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=110927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=110927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}