Digital rosary discovered to be hackable, Vatican says it has fixed bugs

Vatican City, Oct 21, 2019 / 07:40 pm (CNA).- Shortly after the new “smart rosary” bracelet was released last week, the Vatican discovered an easy route for hackers to retrieve a user’s personal information. The issue has since been fixed.

Launched on Oct. 15, the device is called an eRosary and allows users to track their prayers, find spiritual resources, and connect with an online prayer community.

A few days after its release, Fidus Information Security, a cyber security consulting service, discovered the device’s weak safety measures, which could have allowed hackers to gain access to a user’s personal information such as their phone number, date of birth, gender, and height.

“One of our researchers decided to check out the code, and in just 10 minutes found some glaring issues,” Andrew Mabbitt, founder of Fidus, told The Register tech site.

According to Fidus, the most glaring concern was a glitch that would allow a hacker to access a user's password - a four-digit PIN - without connecting to the user’s email. The application uses API calls to talk to its backend system. Upon request for a user’s email address, the system would send over a readable text of the user’s PIN through the API.

Father Frédéric Fornos, international director for the Pope's Worldwide Prayer Network, told The Register that Vatican coders were placed on the problem immediately after he heard about the issue on Oct. 17. Since then, the issue has been corrected.

According to The Register, Fidus also found that, because there are unlimited password guesses, hackers would be able to retrieve the pin number by “brute forcing” - a means to retrieve hidden information through excessive trial and error. However, a Vatican spokesperson said this issue has also been resolved.

The eRosary was launched under the Pope’s Worldwide Prayer Network and developed by the Taiwan-based tech company GadgTek Inc.

The Bluetooth device in the bracelet connects to Click to Pray, a phone app on iOS or Android that reminds people to pray. It also includes reflections, campaigns, and an electronic bulletin board, where users may request or find prayer intentions.

The eRosary activates when the user makes a sign of the cross. It tracks the user's progress and, in connection with the user’s phone, provides visual aids and audio reflections on the mysteries of the rosary.

The device is available on Amazon.it for 99 euros, roughly $109.

According to an Oct. 15 press release from Click to Pray, the eRosary is an opportunity to connect young people together in prayer.

“Aimed at the peripheral frontiers of the digital world where the young people dwell, the Click To Pray eRosary serves as a technology-based pedagogy to teach the young how to pray the Rosary, how to pray it for peace, how to contemplate the Gospel,” the press release said.