Researchers have discovered a number of vulnerabilities in popular internet monitoring platform for parents, Circle with Disney, potentially exposing countless families to malware and covert surveillance.
Cisco’s Talos Intelligence team revealed 22 flaws in the product, which pairs wirelessly with the home Wi-Fi network to manage every device including smartphones, tablets, PCs and smart TVs. The idea is that parents can monitor and control what their children access by creating user profiles via the Android/iOS app interface.
“Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands, install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.”
The bugs include CVE-2017-2898, which allows specially crafted network packets to cause unsigned firmware to be installed on the device, resulting in arbitrary code execution.
Another, CVE-2017-2911, means that certificates for specific domain names can cause the product to accept a different certificate than intended, while CVE-2017-2864 can cause a valid authentication token to be returned to the attacker — resulting in authentication bypass.
Despite the long list of vulnerabilities, Cisco Talos was quick to acknowledge the vendor’s willingness to resolve the issues.
“The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication,” it said. “Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.”
Cesare Garlati, chief security strategist of the non-profit prpl Foundation, argued the case is another example of why the IoT is broken from a security perspective.
“This simple reason alone should also be a warning to globally recognized companies who wish to distribute or manufacture such devices with a ‘sales-first’ mentality,” he added. “These companies need to take a step back, look at more secure alternatives such as using open source, and work security from the ground up into their products. It’s high time for security to stop being an afterthought.”