Are Internet Monitoring Platforms Now Putting Families At Risk?

Screen Shot 2017-11-02 at 4.57.54 PM.png

Some researchers have discovered a number of vulnerabilities in popular internet monitoring platforms. Circle with Disney, potentially exposing countless families to malware and covert surveillance.

Cisco’s Talos Intelligence team revealed 22 flaws in the product, which pairs wirelessly with the home Wi-Fi network to manage every device including smartphones, tablets, PCs and smart TVs. The idea is that parents can monitor and control what their children access by creating user profiles via the Android/iOS app interface.

Cisco says:

“Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands, install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.”

The bugs include CVE-2017-2898, which allows specially crafted network packets to cause unsigned firmware to be installed on devices, resulting in arbitrary code execution.   

Another is CVE-2017-2911, means that certificates for specific domain names can cause the product to accept a different certificate than intended, while CVE-2017-2864 causes a valid authentication token to be returned to the attacker — resulting in authentication bypass.

Despite the long list of vulnerabilities, Cisco Talos was quick to acknowledge the vendor’s willingness to resolve the issues.

“The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication,” it said. “Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.”

Let this be a warning to globally recognized companies who wish to distribute or manufacture such devices with a ‘sales-first’ mentality. It's certainly time to look at more secure alternatives.

- Allyson White, CEO

Alde Security Solutions, LLC.

Source: Info-Security Magazine