CVE-2017-8867 - Elemental Path's CogniToys Dino smart toys through firmware version 0.0.794 use AES-128 with ECB mod

CVE-2017-8867

Summary

Elemental Path's CogniToys Dino smart toys through firmware version 0.0.794 use AES-128 with ECB mode to encrypt voice traffic between the device and remote server, allowing a malicious user to map encrypted traffic to a particular AES key index and gaining further access to eavesdrop on privacy-sensitive voice communication of a child and their Dino device.

References

https://dl.acm.org/citation.cfm?id=3139947

Vulnerable Configurations

cpe:2.3:o:cognitoys:stemosaur_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:cognitoys:stemosaur_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cognitoys:stemosaur:-:*:*:*:*:*:*:*
cpe:2.3:h:cognitoys:stemosaur:-:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

refmap via4

misc

https://dl.acm.org/citation.cfm?id=3139947

Last major update

03-10-2019 - 00:03

Published

11-12-2017 - 21:29

Last modified

03-10-2019 - 00:03