Slashdot Mirror
Kodak Wireless Picture Frames Open To Public
Jaxoreth writes "The Kodak Easyshare Wireless Digital Picture Frame displays images via a per-frame RSS feed hosted by FrameChannel. Each frame's URL is identical except for a parameter matching its particular MAC address, enabling public browsing of users' feeds. And worse, if you reach the feed of a not-yet-activated frame, it gives you the code to activate it, allowing you to preload it with whatever content you choose."
MAC addresses are in no way predictable based on the company producing the product in question, so we should be perfectly safe.
Sarcasm aside, how could they possibly have thought that this was a good idea? Nobody expects Joe Consumer to remember something as hostile as a MAC address, so there isn't a "user convenience" argument to be made, and anything with enough processor power and mass storage to run these sorts of web functions could have gotten away with cramming in an onboard GUID or some certs or something. WTF?
Even more interesting, using an id of "'" (an apstrophe) gets you some sort of default channel with some rather nice pictures. They even change them after some time.
http://rss.framechannel.com//productId=KD9371/frameId='
I wonder what's happening behind curtains.
GPG 0x1B479C78
1. Play with the MAC address to find a live frame. It took me 4 tries.
2. Scroll down and see if one of their images is the weather forecast, complete with the city and state for the forecast.
3. Now look at the userid. It likely contains a first initial and a last name.
4. City, state, last name, first initial -- that may very well be enough to get a street address.
5. Most people have pics of their family, including their kids. You've got a name, address, and photos of the fam.
It seems to me that goatse/tubgirl -ing these things is the only responsible thing to do. Sure, a few dozen (hundred?) people will have to gouge their eyes out, but it's a small sacrifice necessary to generate consumer push back on this kind of nonsense.
I was checking some of the links and noticed a few interesting parameters
http://www.framechannel.com/feeds/pair/index.php/r=1/frameModelCode=KD9372/frameModelId=1/frameId=PAPAPA/reset=0/language=en/7072.jpg
See that parameter named reset? I activated an account and verified it as activating. Then I triggered that reset parameter to 1 and it went back to the pre-activation state!
GPG 0x1B479C78
I just sent them an email with a link to this story and urged them to act quickly. This is funny and all, but will someone please think of the grandmas?
Well, someone sure is getting a jump on the pre-CES media hype. A conspiracy theorist would suggest that this Corey Halverson dude over in Seattle was slipped some info by his buddies over in Redmond working on a competing product, and looking to exclude a VC-funded startup right when they start gaining traction. That would explain why his blog only has three posts, and why he brought this up right before CES.
Me, I take this as an object lesson for what happens when you dump your product on woot, and when you don't bother to make even the slightest effort at security.
This truly is a PR nightmare, but will make a good plot mechanic in next season's procedural dramas.