Vulnerabilities > CVE-2017-8867 - Unspecified vulnerability in Cognitoys Stemosaur Firmware 0.0.794

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

cognitoys

NVD

Published: 2017-12-11

Updated: 2019-10-03

Summary

Elemental Path's CogniToys Dino smart toys through firmware version 0.0.794 use AES-128 with ECB mode to encrypt voice traffic between the device and remote server, allowing a malicious user to map encrypted traffic to a particular AES key index and gaining further access to eavesdrop on privacy-sensitive voice communication of a child and their Dino device.

Vulnerable Configurations

Part	Description	Count
OS	Cognitoys Cognitoys Stemosaur Firmware 0.0.794	1
Hardware	Cognitoys Cognitoys Stemosaur -	1

References

https://dl.acm.org/citation.cfm?id=3139947