CVE-2017-8867

Name of the Vulnerable Software and Affected Versions Elemental Path's CogniToys Dino smart toys through firmware version 0.0.794

Description The issue concerns the use of AES-128 with ECB mode to encrypt voice traffic between the device and a remote server. This allows a malicious user to map encrypted traffic to a particular AES key index, potentially gaining access to eavesdrop on privacy-sensitive voice communication of a child and their Dino device.

Recommendations For Elemental Path's CogniToys Dino smart toys through firmware version 0.0.794, consider updating the firmware to a version that uses a more secure encryption mode, such as CBC or GCM, to prevent eavesdropping on voice communication. As a temporary workaround, restrict access to the device's voice communication feature until a patch is available.