Circle With Disney: Hackers Can Hijack Parental Control Filter

Circle with Disney, a popular parental control and internet content filter, is plagued with security flaws that could allow an attacker to monitor activity or hijack devices, according to security researchers.

An examination of the Disney-owned, family-centric security system by experts at Talos Intelligence—a cybersecurity firm owned by Cisco Systems— found 23 individual security vulnerabilities in Circle with Disney.

Marketed as the "the smart way for families to manage content and time online, on any device," Circle With Disney is a product designed to give parents the ability to monitor and control the type of content that their children are exposed to. Sold for $99, the product pairs wirelessly with a number of devices, including Android and iOS phones and tablets, smart TVs, computers and more.

Once connected, parents have a wide range of controls they can use to place limitations on screen time and usage. Circle with Disney can be used to filter out certain content, set strict time limits, track usage and monitor online activity among other surveillance features.

Unfortunately, researchers at Talos found the product intended to ensure a child’s safety while online may actually open the whole family up to a range of potentially harmful and invasive activities from attackers.

"Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device," the researchers wrote.

In a blog post, researchers from the security firm warned of 23 bugs ranging in severity, with the worst of the bunch scoring a 10.0 on the Common Vulnerability Scoring System (CVSS)—the highest possible score denoting a critical security flaw.

That bug, identified by researchers as CVE-2017-12087, could allow an attacker connected to the same network as Circle With Disney to overwrite information and perform potentially malicious functions as dictated by the attacker.

Another flaw—identified as CVE-2017-2917—also scored as a critical vulnerability, notching a 9.9 CVSS score. According to researchers, the exploit has to do with the notifications functionality of Circle with Disney and allows attackers to use specially crafted network packets—malicious data designed to appear like standard web traffic—to inject commands to a device.

A number of other vulnerabilities also scored critical or high CVSS scores. Some of those bugs would allow an attacker to perform remote code execution on devices, corrupt memory, force machines to reboot and spread attacks to other devices through Disney’s cloud infrastructure.

Talos Intelligence informed Disney’s team of the security vulnerabilities and said the Circle security team has been “exemplary to work with” in fixing the problems.

"The team at Circle Media Labs has always been focused on offering features to help consumers manage screen time across all of the devices in the home," a spokesperson for Circle Media Labs told International Business Times. "We’ve been working very closely with the Talos team on their findings and worked quickly to issue firmware updates."

Owners of the Circle with Disney device shouldn’t have too much to fear when it comes to these vulnerabilities; the company created and pushed out an automatic security update that should install without requiring any manual effort from users.