UPDATED 6:45 p.m. EST Monday, Jan. 22 with comment from Circle Media.
WASHINGTON — Circle with Disney is a home network appliance that's meant to protect children from the dangers of the internet. But until this past fall, the device was riddled with so many security vulnerabilities that it would have let attackers completely hijack home Wi-Fi networks and steal any data being transmitted. And it's hardly the only device to run into such issues.
Lilith Wyatt, a researcher with Cisco Talos, detailed during the ShmooCon security conference here Saturday (Jan. 20) how she and her team found no fewer than 23 different flaws with the Circle. Even though all those flaws have since been fixed with software updates, she explained, they're still commonly found on many other so-called "Internet of Things" devices that millions of customers are bringing into their homes.
"There's valuable information on this thing. You don't want it to be exposed," Wyatt said. "It's ironic that this device was meant to keep your kids safe."
Circle with Disney is a small white cube that connects to your home Wi-Fi router wirelessly or by using an Ethernet cable. Disney didn't develop the device; rather, it was the result of a Kickstarter campaign by a Portland, Oregon, company called Circle Media, which later partnered with Disney.
The device lets parents monitor and restrict the internet usage of other devices on the home network, Wyatt explained. To do this, it uses a technique known as ARP poisoning or ARP spoofing to intercept traffic going to and from local wireless devices to the Wi-Fi router, in effect staging a man-in-the-middle attack. This is something malicious hackers commonly do, but in this case it's done for benign purposes.
The real problem, Wyatt said, was the fact that the device was otherwise so easy to attack and exploit.
One big issue was how Circle with Disney handled encryption. Because the device had less-than-perfect management of encryption "certificates," Wyatt and her fellow researchers got it to accept their own certificates so that they could intercept and read all encrypted traffic using the HTTPS secure protocol that protects Amazon purchases, online banking transactions and the like. A malicious attacker using the same technique could steal your credit card numbers, read your email and break into your online bank accounts.
Worse, because Circle with Disney transmitted its own authorization tokens to Circle's cloud servers via encrypted web traffic, the attacker could grab those tokens and get root control of the device, seizing total control.
Wyatt and her team also found that they could force the Circle to shut down if they made it connect to a Wi-Fi hotspot with a specially crafted network name, or SSID. If they embedded computer code in the SSID itself, the device would shut down and not be able to reboot.
Like many IoT devices, the Circle can be accessed and controlled remotely. For example, a parent can use his or her iOS or Android smartphone to see what the children are doing online when they get home from school.
Wyatt explained that when a parent's smartphone connects to Circle's cloud servers, the smartphone transmits an authorization token that identifies the specific Circle with Disney device that the smartphone is paired with.
But the cloud service doesn't actively reach out to the destination device to complete the connection; rather, it waits for a routine signal that every Circle device sends to "check in" with the cloud servers several times a minute. When that signal arrives, the cloud lets the device know that the smartphone is trying to connect, and then passes messages between the two.
This connection is encrypted using the authorization token mentioned above. Wyatt found that the token was impossible to "crack" via a "brute force" attack — she couldn't break the encryption by using a computer program to rapidly go through every possible combination of numbers. That was the good news.
The bad news was that she didn't need to brute-force the entire token. It turned out the beginning of the token was the device's MAC address, or unique network identifier, and that the MAC address was all you needed to connect to a specific device.
Half of each MAC address is already known because it's tied to the device manufacturer, leaving the rest small enough — 16.7 million different possibilities — to guess using cracking software.
"We could easily brute-force that and talk to any Circle in the world," Wyatt said.
Most IoT devices can't update their own software. The Circle with Disney does, which is a good thing overall. But when Wyatt examined the device, she found that it pulled those updates down from the internet using unencrypted channels. Because of this, she and her team were able to create a malicious update that quickly let them take control of the device.
Despite all this negative news, Wyatt ended her talk on a positive note. She said she and her team reached out to Circle to notify the company of the flaws, giving it the standard 90 days to fix the flaws before the researchers would go public with the news.
Circle was very quick to respond, she said. The company's security staff was "super positive" about being notified of the flaws, and the vulnerabilities got fixed by Oct. 31, 2017, which is when Cisco posted its report on the Circle with Disney.
"It was the most pleasant experience I've ever had with disclosure," Wyatt said. "I might not agree with the product philosophically, but the people were cool."
Tom's Guide has contacted Circle Media for comment, and we will update this report when we receive a reply.
UPDATE: A spokeswoman for Circle Media responded to us with a statement.
"As the Cisco team mentioned, we take security very seriously and worked very closely with their team to remedy their findings as quickly as possible," the statement read in part. "There is no evidence that any of these potential vulnerabilities were actually being leveraged for malicious purposes. All were discovered within a controlled, security research environment and disclosed privately to protect consumers."
"New firmware with the relevant fixes have already been released to all Circle Home devices via an automatic update," the statement added. "Throughout this process, we have not identified that any customer information or data was compromised or exploited."