Improper JPAKE Implementation in Amazon Fire TV Stick and Insignia TV Allows Unauthorized Access
CVE-2023-1385

7.1HIGH

Key Information:

Vendor: Amazon
Status: Fire Tv Stick 3rd Gen; Tv With Fireos
Vendor: CVE Published:; 3 May 2023

What is CVE-2023-1385?

The vulnerability arises from an improper implementation of JPAKE (Password Authenticated Key Exchange) in the affected devices, specifically allowing for offline brute-forcing of user PINs. Due to the initialization of random values to a known state, attackers can exploit this flaw to achieve unauthorized authentication, potentially compromising user accounts associated with Amazon services and allowing them access to sensitive features of the Fire TV Stick and Insignia TVs. This highlights the importance of robust security practices in implementing cryptographic protocols.

Affected Version(s)

Fire TV Stick 3rd gen 6.2.9.4

TV with FireOS 7.6.3.2

References

https://www.bitdefender.com/blog/labs/vulnerabilities-ide...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2023
Vulnerability Reserved
Mar 14, 2023

Credit

Bitdefender IoT Research Team