Broken TLS certificate pinning in VTech DigiGo Kid Connect app

From: Summer of Pwnage <lists@securify.nl>
To: bugtraq@securityfocus.com
Cc:
Subject: Broken TLS certificate pinning in VTech DigiGo Kid Connect app
Date:


------------------------------------------------------------------------
Broken TLS certificate pinning in VTech DigiGo Kid Connect app
------------------------------------------------------------------------
Sipke Mellema, September 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
VTech's DigiGo is a hand held smart device for children. The device
contains a chat application chatting with friends and family, called Kid
Connect. The app has a broken certificate pinning implementation that
allows a man in the middle attack on text sent by the chat app.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was tested on a VTech DigiGo running firmware version
83.60630. It is likely that other versions are also affected.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
VTech pushed a firmware update to address this issue on 6 November,
2017. The firmware version still displays as 83.60630.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2017/broken-tls-certificate-pinning-in-vtech-digigo-kid-connect-app.html





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.