Cisco Talos is disclosing several vulnerabilities identified in Circle with Disney. Circle with Disney is a network device designed to monitor the Internet use of children on a given network. Circle pairs wirelessly, with your home Wi-Fi and allows you to manage every device on the network, tablet, TV, or laptop. It can also pair via ethernet after the initial pairing. Using an iOS or Android app, families create unique profiles for every member of the home and from there, help shape each person's online experience.
The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication. Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.
Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.