The Vatican has launched an extremely sleek Click To Pray eRosary, which is a bracelet of rosary beads along with a finely finished smart cross.
That's right, the cross is a now an Internet of Things device.
It looks stylish, is part of a mission to pray for peace, and it launched with a significant cybersecurity flaw.
What is the eRosary?
What is the Click To Pray eRosary and how does it work?
Vatican News covered the press conference where the church announced the device, and explains it like this:
"The Click To Pray eRosary is an interactive, smart and app-driven wearable device that serves as a tool for learning how to pray the rosary for peace in the world. It can be worn as a bracelet and is activated by making the sign of the cross. It is synchronized with a free app of the same name, which allows access to an audio guide, exclusive images and personalized content about the praying of the Rosary.
Aimed at the peripheral frontiers of the digital world where the young people dwell, the Click To Pray eRosary serves as a technology-based teaching tool to help young people pray the Rosary for peace and to contemplate the Gospel. The project brings together the best of the Church’s spiritual tradition and the latest advances of the technological world."
Those in cybersecurity already know that the latest advances within the Internet of Things (IoT) often launch with security flaws.
Security flaw in Vatican's new eRosary
And with any new prominent device hitting the market, you know there are security researchers who can't wait to test its security. That happened in this case.
And according to Naked Security, researchers:
"...exposed a brute-force flaw in the app’s authentication mechanism. It lets you log in via Google and Facebook—no problem there—but it's the alternative that caused the issue: access with a four-digit PIN.
When a user resets their account using Click To Pray's app, it uses an application programming interface (API) to make the request to the server, which then sends the PIN to the user's email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user's PIN without having access to their email."
The researchers say they used this method to easily log in and obtained phone numbers, height, weight, gender, and birth dates.
Also, there was no limit to the number of login attempts, which is a dream for any hacker who wants to make automated, or brute force, attempts to break in.
Update: Vatican issues a patch for the vulnerabilities
Security researcher Elliot Alderson not only found the eRosary vulnerability, he reported it to the Vatican first:
And how did the Vatican respond to all this news of a security flaw inside the eRosary? On Twitter, of course, and with appreciation. Here's Father Robert Ballecer's tweet:
Father Ballecer calls himself a "Digital Jesuit in Rome," and he clearly understood the significance of having a security researcher attempting to contact the Vatican. This is more than we can say for some organizations. So when it comes to the security of the Vatican's new wearable, it's a good thing the Digital Jesuit is on the team.
And there you have it: praying for peace and a patch.
So far, at least one of those prayers has been answered.
