Cisco Talos researchers have discovered 23 vulnerabilities in Circle with Disney monitoring software which could be used to hijack full families of devices.
Circle with Disney is touted as "the smart way for families to manage content and time online, on any device." The $99 Android and iOS-compatible product pairs wirelessly and can be used to create a network of devices, including smartphones, tablets, and smart TVs, monitoring Internet use and websites visited.
Aimed chiefly at parents, owners can set up 'bedtimes' which close down Internet access, "pause" access, and set up filtering to prevent children from visiting websites they shouldn't.
In a world fuelled by the Internet and social media, it's easy to see why such products appeal.
However, on Monday, the Talos security team disclosed a set of serious vulnerabilities which gives attackers the opportunity to tap into every family member's activities and spy on every device -- or worse.
"Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device," said the researchers.
The worst of the bugs, CVE-2017-12087, received the highest CVSS score possible of 10.0 in severity.
The exploitable heap overflow vulnerability exists in the mdnsd daemon and can force Circle to overwrite information on the heap with attacker controlled values, as long as the hacker has network connectivity to the Circle.
Another vulnerability, CVE-2017-2917, was rated at 9.9 by CVSS.
"An exploitable vulnerability exists in the notifications functionality of Circle with Disney," the team says. "Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability."
In addition, CVE-2017-2898 allows attackers to use crafted network packets to install unsigned firmware and perform remote code execution, CVE-2017-2865 can be exploited to monitor and tamper with network traffic, CVE-2017-2864 can be harnessed to circumvent authentication token functionality and the rather nasty CVE-2017-12084 can be exploited to install a persistent backdoor into the Circle device.
When exploited, other vulnerabilities found by the researchers can result in command injections, remote code execution, memory corruption, forced device reboots, and even utilize the Disney cloud infrastructure to attack other devices.
The vulnerabilities are serious, especially as the device is aimed at use concerning children. There have been no reports to suggest Circle customers' information and data were compromised or exploited.
Talos says the Circle Media security team have been "exemplary to work with" and have worked with Talos to mitigate these vulnerabilities after they were discovered.
The company has pushed out automatic security updates to customers on October 19 and while working with the Circle team, the Talos security team verified the security patches to ensure they were sound.