Kodak managed to release a product with a big fat security vulnerability. [Casey] figured out that the Kodak W820 WiFi capable digital frame can be hijacked for dubious purposes. The frame can add Internet content as widgets; things like Facebook status, tweets, and pictures. The problem is that the widgets are based on a feed from a website that was publicly accessible. The only difference in the different feed addresses is the last two characters of the frame’s MAC address. Feeds that are already setup can be viewed, but by brute-forcing the RSS link an attacker can take control of the feeds that haven’t been set up yet and preload them with photos you might not want to see when you boot up your factory-fresh frame.
It seems the hole has been closed now, but that doesn’t diminish the delight we get from reading about this foible. There’s a pretty interesting discussion going on in the thread running at Slashdot.
@The word ‘foible’: “What are you doin’ usin’ your big school words just use normal people words and I’ll understand what you’re talkin’ about.”
Sorry, had to. Hope I’m not the only one who’s not familiar with that one…
Has anyone opened one of these guys up to see what is under the hood?
The vulnerability was closed the day the slashdot article ran (which was like 4 days ago btw).
I asked for the source code of one of their frames earlier on… I was interested in doing my own development on it…. here was their reply…
—-
Greetings,
Thank you for your recent visit to the Kodak Web site and question about the source code for the firmware of the Kodak EasyShare digital picture frame.
We appreciate the chance to be of assistance.
We regret to inform you that currently we do not give out the source code of the firmware of our digital picture as they are considered to be confidential and a business-proprietary information.
If you encounter an issue in the future with your Kodak product or Kodak EasyShare software, we have created an online troubleshooting guide. You may click on the URL below to access this troubleshooting guide.
—
Geeze.. I bet they are wishing they open sourced it now.. or maybe this is why they didn’t!
@Skitchin
I’ve never heard foible used in the sense of security before. It did sound strange.
Anyhow, the site checks the user agent of your browser, and if you change the productID (add 1 to it) as well as your user agent, you can still see the pictures for other users. I really don’t see the benefit of this though.
I want one that I can enter my own URL into. Always display the image at 192.168.1.1/pics.info.jpg and reload it every 30 seconds.
that alone would rock as I can make info displays at the doorways with weather and appointment info.
@Skitchin: Don’t worry it through me for a loop to and I had to go look it up. The reason it sounds so out of place is because it is being improperly used, and I’m sure an argument could be made for its usage here its not the intended use of the word.
foi⋅ble [foi-buhl] Show IPA
Use foible in a Sentence
–noun 1. a minor weakness or failing of character; slight flaw or defect: an all-too-human foible.
2. the weaker part of a sword blade, between the middle and the point
If the only difference in the feeds are the last two digits of the mac, doesn’t that mean that only 256 different feeds can exist?
Last I checked 2 hex digits didn’t leave a whole lot of combinations.
i dont see why security is an issue here since most pictures in a household are of family or friends.
i dont see anything juicy about them that would require privacy.
however i can see there being an issue if a digital picture frame is being used as a presentation device in a board room for example to show a company profits but wouldnt a normal office presentation device be better?
@ejonesss
big issue was that just about anybody could upload content to any frame
the slashdot thread was reporting people pushing really nasty pictures to random frames. Might give grandma a coronary…
I dont get what the fuss is! I have the W820.
You have to put the dpf into ‘FrameChannel’ mode at all, there must be about a hundred reasons for NOT doing that as everything I could do with FrameChannel, well, stank!
Little to no localised content for my country, let alone content I’m interested in, horribly low quality JPG files leave blocky pic artifacts and, of course, terrible security.
If you want to do it securely, set up a simple website somewhere with a specially formatted Media RSS XML file (Kodak call it Photo RSS but it obeys Yahoos Media extensions to RSS feeds). In the media RSS file are a simple bunch of definitions of JPGs or whatever on your web server.
Just put the dpf into Photo RSS mode, point it towards the XML file and you’re away.
Thats what I’m doing. I have a little project on the cards to get the site dynamically generating my own pages as JPG files, info scraped from all over the web, then updating the XML to point the frame towards the generated pics. The dpf is great because it updates pretty quickly if you update the XML file – about 30 seconds to 2 mins which is fine when the frame is on a slideshow.
I might write something up about it, its definitely the route to go down if you want to use it other than Flickr stuffs.
Does anyone know if a similar exploit exists for Kodak’s EX811 model? This is another “WiFi enabled” frame but I don’t believe it has the FrameChannel.
The “big deal” is registering frames with access codes that haven’t been activated yet, effectively locking purchasers out of their framechannel accounts. The vulnerability is still there. Try some fuzzing.
@Matt Brunton:
Check the drop down list at the top of the page
http://www.framechannel.com/signup/
@ Paul now to think about it i remember reading about people buying stuff like hard drives, mp3 players and yes even picture frames being infected with viruses and porn.
i think in that case it required buying the product then loading the virus or porn then returning it.
that worked because most stores simply taped up the box and stuck it back on the shelf (kind of like the salvation army does) unlike staples witch does not immediately stick it back on the shelf rather they send the goods back to the manufacturers rather than reselling it.
GOATSE!
Priceless
Rocking it like it’s 1999! In 2010… Wait a minute!