Kodak Wireless Picture Frames Open To Public

Jaxoreth writes "The Kodak Easyshare Wireless Digital Picture Frame displays images via a per-frame RSS feed hosted by FrameChannel. Each frame's URL is identical except for a parameter matching its particular MAC address, enabling public browsing of users' feeds. And worse, if you reach the feed of a not-yet-activated frame, it gives you the code to activate it, allowing you to preload it with whatever content you choose."

zero day vulnerability?

[Froeschle]

Would this constitute a zero day vulnerability?

Re:zero day vulnerability?

[fuzzyfuzzyfungus]

It bloody well would, unless the gaping black hole of goatse man in a million homes across the country qualifies as "defense in depth"...

Re:zero day vulnerability?

[burni2]

No don't mess yourself up in the first place.

It's called a cloudfeature being so it's not a bug it's a KODAK ;)

Share your memories and your nude girlfriends with your friends, enemies, law enforcement agencies and employers - and clouds[1].

[1]http://www.myspace.com/developerchallenge

Re:zero day vulnerability?

[Spad]

With the level of captcha-beating OCR software out there these days you could probably automate a scan of the entire MAC address space for Kodak, activate any available frames and upload whatever you wanted into all of them, which would be "interesting".

Re:zero day vulnerability?

[fuzzyfuzzyfungus]

If one were a truly awful person, one could probably maximize the damage by going with less horrifying images...

Classic shock site stuff turns the stomach; but, for that reason, is a pretty implausible thing to have show up outside of a hack.

A steady stream of sexual but more or less pedestrian pictures, on the other hand, is a much more plausible thing for somebody who has a little something to hide from his/her family/significant other/doting grandparents to accidentally upload to the wrong location.

For pure nausea you can't really beat the classics; but for pure evil, the more plausible, the better...

Re:zero day vulnerability?

[durrr]

For maximum damage; child pornography.
I'm sure you are all more than capable of imagining the fallout without any further explanation; it's hard to find anything being more of the .jpeg equivalent of nuclear weapons.

Re:zero day vulnerability?

[xaxa]

By the way, don't look at the photostreams. There's a link to one in the article, and (as of the time of this comment) it's just an activation screen, but a few MAC addresses lower and the pictures are all shock stuff.

Re:zero day vulnerability?

[OolimPhon]

Oh, come on. Don't look at the photostreams with remaining eye.

Re:zero day vulnerability?

[FatdogHaiku]

Would this constitute a zero day vulnerability?

ummm, do you have something less than that? The account can be pooched before the user ever opens the box containing the device... to me that's less than zero. I just tried the RSS feed in the story, altered the hex address and yes, I could have set up a device that has yet to be unboxed... Wow, someone's ass is going on the block because you just know that a ton of goatsee, porn, and disturbing images are going to go into these accounts.

Re:zero day vulnerability?

[Qzukk]

If I took some pictures from each person and shuffled them around to other people, would I be crossing the photostreams?

Re:zero day vulnerability?

[Idiomatick]

I think the best would be to take someone's photos that they have uploaded already... And photoshop them. Nothing OBVIOUS... subtle... make them a bit fatter... little more greasy and maybe slightly unsymmetrical. Over the course a few months you could crush a sufficiently vain person.

Re:zero day vulnerability?

[ResidntGeek]

That's not what zero-day means.

Mac address anatomy

[Arker]

Havent thought about this for awhile, but IIRC the first three octets are supposed to indicate the manufacturer of the device, so if we can assume the NIC in these frames is always from the same manufacturer, the address space to search becomes much smaller. Still, it's going to be pretty huge, with probably the largest number of possible URLs invalid, and most of the valid ones full of normal junk no one but family/friends really want to see anyhow. The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.

If you see anything good, or even just really strange, be sure and post it here!

Re:Mac address anatomy

[dunezone]

If you see anything good, or even just really strange, be sure and post it here!

Nice try TMZ.

Re:Mac address anatomy

Another one, actually preloaded with pictures. Of course the real vulnerability is the ability of others to activate and pre-load pictures. This should really be fixed soon.

Re:Mac address anatomy

[sakdoctor]

00:DE:AD:BE:EF

Only the finest MAC address white-listing security for MY wireless gear.

Re:Mac address anatomy

[vlm]

The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.

Just remember, goatse works both ways....

Buy a frame for $50, upload goatse to it, for gods sake put the frame face down on the desk with a post it ordering everyone to not look at it, if not outright duct taping it, and you can goatse a "frame-scanner" or whatever you want to call them...

As a side issue, Kodak probably knows what MACs they've sold (or do they?) so they could put up a VERY special page for framescanners of MACs that have never been manufactured. Two girls one frame, or something.

Re:Mac address anatomy

[fuzzyfuzzyfungus]

Anybody else notice the "/productId=KD9371" bit of the URL? It would appear that this "framechannel" service either is, or is designed to be able to be, the backend to multiple digital-photo-frame products, possibly including those from other manufacturers. I couldn't find any other valid product IDs, but that was only in 30 seconds of putting in random strings, not a real effort.(and they claim )

I'd say, until given compelling evidence otherwise, that any product using FrameChannel as a backend is Fucked. Worse, there may well be nothing that FrameChannel can do about it without breaking the service for all existing devices in the field. I'm sure, in principle, that those devices are firmware upgradeable(almost definitely just an embedded OS on a chunk of flash, with a weedy little ARM or MIPS SoC); but there is no assurance at all that the device manufacturers will offer one, nor does having to apply a critical firmware upgrade really fit well with the "ready for use by Grandma" image that the photoframes would really like to cultivate.

I would say that we are looking at a much wider problem. This isn't just some hardware company fucking up the service that they hacked together as an afterthought to support their hardware product. This is a service provider company, whose service is integrated into hardware from over a dozen manufacturers, whose core service is completely broken and absurdly insecure. All it would take is one marginally tech-competent journalist to find a couple of baby pictures and/or a frame preloaded with 2-girls 1-cup to kick these guys so hard in the stock price that their investors' children won't be able to sit down for a month....

Re:Mac address anatomy

[mike260]

Whoever owns that frame sure has some interesting family photos...

Re:Mac address anatomy

[Ernesto+Alvarez]

Try KD9372.

Also go to the registration page and you'll see a few models. Dunno about the model codes, though.

Re:Mac address anatomy

[arabagast]

my favourite: 00:FA:CE:FE:ED

and for some more fun hex strings: hexspeak

Re:Mac address anatomy

[fuzzyfuzzyfungus]

I messed up the link. It should be their claimed list of devices.

Also, the company behind this service is Thinking Screen Media. This sort of thing is, in fact, their core business.

The above link has linkedin profiles for their entire management team and board of directors. Who wants to break the news?

Re:Mac address anatomy

[AmiMoJo]

with probably the largest number of possible URLs invalid

What are the chances they are sequentially numbered?

Re:Mac address anatomy

[xaxa]

Like this one? (NSFW! Even for those of us in Europe.)

It seems the registration process doesn't require anything more than the "activation code", which is shown in the RSS feeds for unactivated frames.

Re:Mac address anatomy

[tom17]

It seems to have been reset. I wonder if the creator de-activated it, or if the FrameChannel guys have been deleting the newly registered 'hacked' ones due to excessive traffic or something...

Tom...

Re:Mac address anatomy

[MartinSchou]

All it would take is one marginally tech-competent journalist to find a couple of baby pictures and/or a frame preloaded with 2-girls 1-cup

Remember that even possessing child pornography is a federal offence or something like that in the US. Even (probably especially) if you then delete the pictures without notifying the authorities.

Wouldn't it be interesting if someone were to send one of these picture frames to all the federal politicians in the US. And then made sure their particular frame would pull up such pictures? Instant slammer time for all politicians. Imagine how much fun the news networks would have with that.

</evil grin>

Re:Mac address anatomy

[Nerdposeur]

I just sent them an email with a link to this story and urged them to act quickly. This is funny and all, but will someone please think of the grandmas?

Re:Mac address anatomy

[darthnoodles]

All unregistered frames now go to an error image. It states that they can't provide a registration number at this time. Looks like they caught on.

Re:Mac address anatomy

[NotBornYesterday]

Instant slammer time for all politicians.

If they were regular people, maybe. Even then, decent investigative work should show that they were framed, so to speak (har har har). I know you're just joking, but can you imagine the uproar this would cause? Hilarious, to be sure, until the congresscritters use it as an excuse to legislate another rights-curbing abomination to control the internet in the name of protecting the children.

Re:Mac address anatomy

[Tensor]

racy like this ? NSFW obviously

http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6e

Re:Mac address anatomy

[geekoid]

try TK321

Re:Mac address anatomy

[yacc143]

Well, ideally you should do that out of a country, that has a more strict definition of child pornography. Then mail the frames with a believable cover letter, ...

And then post the URLs to the news media and the FBI, ideally anonymously :)

Re:Mac address anatomy

[An+ominous+Cow+art]

I tried TK421, but it wasn't at its post.

Re:Mac address anatomy

[MichaelSmith]

Its not in the correct position.

Re:Mac address anatomy

[pwfffff]

Some programmer's day just got a lot shittier as well... :(

Re:Mac address anatomy

[fuzzyfuzzyfungus]

All addresses are now returning an identical "fmdefaultfeed", so it looks like they got a dirty hack in place. Probably a fair few bullets sweated, though.

I just hope that the inevitable grudge firings fall on the guy who said "C'mon, unique keys will add manufacturing complexity, we'll just use MACs" rather than whatever poor bastard just did the implementation.

Competition:

[RMH101]

Best "you've been p0wned" slideshow set. Post URL when done.

Re:Competition:

[think_nix]

all your pix are belong to us

Re:Competition:

[mike260]

Looks like the guy who broke the story has been visited by the frame-fairy.

Re:Competition:

[RMH101]

that is *pure* 4chan. Nice find!

so now we know the main plot point

[circletimessquare]

for "the ring ii"

Luckily...

[fuzzyfuzzyfungus]

MAC addresses are in no way predictable based on the company producing the product in question, so we should be perfectly safe.

Sarcasm aside, how could they possibly have thought that this was a good idea? Nobody expects Joe Consumer to remember something as hostile as a MAC address, so there isn't a "user convenience" argument to be made, and anything with enough processor power and mass storage to run these sorts of web functions could have gotten away with cramming in an onboard GUID or some certs or something. WTF?

Re:Luckily...

[drinkypoo]

It's pretty obvious, they printed the MAC on the device, and were looking for a unique code to use for the password that wasn't the serial number.

I'm hoping I can hack my HP photo frame, it's got USB2, CF, and SD! It plays fullscreen video very nicely (I transcoded a DVD to it with ogmrip) and I would guess it's got some cojones.

Re:Luckily...

[Stenchwarrior]

Nobody expects Joe Consumer to remember something as hostile as a MAC address, so there isn't a "user convenience" argument to be made

Then maybe they will implement MNS (Mac Name Service)?

cue ...

/. effect across the entire product line. Be polite and don''t load them with tubgirl.

How many people will get their brand new frame...

[Chrisq]

How many people will get their brand new frame home, plug it in and find that it displays a "preloaded" goatse

Well...

[benjymous]

It seems you get an RSS feed with an activation code no matter what you enter for the frameid (it doesn't even seem to have to be a valid MAC address) so it seems they're not filtering on the server for addresses that actually belong to frames

Re:Well...

[Ernesto+Alvarez]

Even more interesting, using an id of "'" (an apstrophe) gets you some sort of default channel with some rather nice pictures. They even change them after some time.

http://rss.framechannel.com//productId=KD9371/frameId='

I wonder what's happening behind curtains.

Re:Well...

[benjymous]

Considering that the activation code has 5 alphabetic characters, I'd guess the process works something like:

Frame requests a page based on its MAC
Server has no record, so it generates a new feed, creates a (random?) activation code, and logs this in its database
User sees the message, enters the activation code online, which is retrieved from the db.

5 digits doesn't give many options. What happens if they all get used up when people start scanning and generating fake IDs? Will the database just fall over, and be unable to activate new frames at all?

Re:Well...

[Ernesto+Alvarez]

I meant what was going on with the apostrophe business.
What sort of logic would get the default feed.

(I was honestly expecting a database error....)

Re:Well...

[ConstantiusChlorus]

I wonder what's happening behind curtains.

Screaming. Finger pointing, witch-hunts and frantic resume polishing. The usual.

Re:Well...

[mike260]

5 digits doesn't give many options.

It's 5 alphanumeric chars, so that's around 60m combinations. A limit of 60m activations in-flight at any one time seems reasonable to me.

Re:Well...

[benjymous]

Ahh, you right - the few I tried all seemed to be alphabetic only, which would've rather limited the pool

Re:How many people will get their brand new frame.

With the right script and an image recognition software, everyone in a few hours.

Actually this illustrates the problem well

[Chrisq]

This innocent person has posted pictures of children and some recognisable locations. All it takes is for some pedo pervert to fantasise over the pictures and track them down.

Re:Actually this illustrates the problem well

Ofcourse, because tracking children down through compromised picture frames is so much more convenient for a person with malicious intent than just going to a local playground or primary school.

I really dont understand this urge of blowing simple stories completely out of proportion by mentioning pedosexuals, muslims or the banking system.

Re:Actually this illustrates the problem well

[Chrisq]

Well for a known offender it would be a safer activity... I'm not saying its likely but it could happen

Re:Actually this illustrates the problem well

And the exact same thing can't happen via webpages, blogs, social networking sites, and any of eleventy billion other places people post photos of their children?

Christ, get a sense of perspective here.

Re:Actually this illustrates the problem well

[mike260]

The frame would have switched back to the activation screen again. The owner would've scratched his head, shrugged, followed the activation instructions and re-upped his photos, innocent to the dark forces swirling beneath the surface of his friendly-looking gadgets.

Re:Actually this illustrates the problem well

[geekoid]

Recognized location would mean a place the pedo visits already.

Re:Actually this illustrates the problem well

[pwfffff]

A) You've been to the Statue of Liberty, the Eiffel Tower, the Great Wall of China, and the moon.
B) You've never heard of any of the above.
C) You can recognize locations you don't visit.

One of these options is aligned with reality. See if you can figure out which.

Re:Actually this illustrates the problem well

[Thud457]

A) You've been to the Statue of Liberty, the Eiffel Tower, the Great Wall of China, and the moon.
B) You've never heard of any of the above.
C) You can recognize locations you don't visit.

One of these options is aligned with reality. See if you can figure out which.

That'd be A) , I'm fuckin' Buzz Aldrin, beeotches!!!!

Re:Actually this illustrates the problem well

[Blakey+Rat]

I really dont understand this urge of blowing simple stories completely out of proportion by mentioning pedosexuals, muslims or the banking system.

Me neither.

If you're going to blow simple stories completely out of proportion, you'd be better off mentioning pedosexuals, Muslims *and* the banking system all at the same time! Do it right, people.

Pictures of dicks

[bluefoxlucid]

And of course, we live in a world where every 13 year old is going to look at this and go, "Sweet! When the next guy buys one of these things, he's going to see pictures of dicks!"

Re:Not cool...

Some kind soul needs to put together an image that explains how insecure the system is and its ramifications, and upload it to all photo frames.

The sad thing is...

[jomegat]

The really sad thing here is that if some white hat wrote a script to find these and upload to them an image warning the owners of the vulnerability, said white hat would almost certainly get smacked down by a DMCA suit or face civil/criminal penalties. No good deed goes unpunished.

This is hilarious!

[Dri]

I'd pay a grand to see the system design behind the "frame" and what decisions were made on what grounds. The arguments like, -"Hey, there is this thing called a MAC address, it's like, globally unique and stuff!"

Kodak, you're toast!

Re:This is hilarious!

[fuzzyfuzzyfungus]

If you are serious, just give these guys a ring...

That is the upper management, board of directors, and board of advisors for the company behind this mess(yes, Virginia, this isn't just Kodak, this is a company whose core business is "connected screens"). Take a bow, guys, take a bow.

Re:This is hilarious!

[SanityInAnarchy]

My brain rebels at trying to actually read that paragraph.

Thinking Screen Media, Inc. (formerly Frame Media, Inc.) is the leader in content delivery to connected screens worldwide. Founded in 2007, Thinking Screen enhances the value proposition of connected screens...

...and I just stop. I have to, or I'll black out from the stupidity. "Enhances the value proposition"... gah!

Even when I force myself (with some considerable effort) to read the entire thing, that's got to be one of the most empty bits of marketing fluff I've ever seen.

Let's get it on...

[Dri]

http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:8a

Not difficult to track down actual users

1. Play with the MAC address to find a live frame. It took me 4 tries.
2. Scroll down and see if one of their images is the weather forecast, complete with the city and state for the forecast.
3. Now look at the userid. It likely contains a first initial and a last name.
4. City, state, last name, first initial -- that may very well be enough to get a street address.
5. Most people have pics of their family, including their kids. You've got a name, address, and photos of the fam.

It seems to me that goatse/tubgirl -ing these things is the only responsible thing to do. Sure, a few dozen (hundred?) people will have to gouge their eyes out, but it's a small sacrifice necessary to generate consumer push back on this kind of nonsense.

Re:Not difficult to track down actual users

Ah yes, the infamous false dichotomy. :) Because simply putting a "Your Photo Frame Has Been Hacked" message just wouldn't do. Only hard-core porn is appropriate.

Re:Not difficult to track down actual users

[xaxa]

A picture of Goatse is hardly necessary.

Just a picture with the text "This device is insecure. Your photographs are available online at [rss address]. For more information, see [news site]" would be fine.

Re:Not difficult to track down actual users

Ordinary people don't freak out about seeing "this device is insecure". They just shrug and move on. Ordinary people do freak out about seeing goatse, though. If you wanted to hurt Kodak financially (as a disincentive to using such poor security practices), preloading with goatse would be 100x more effective than preloading with some polite message. It would also be far more likely to get press coverage.

Re:Not difficult to track down actual users

[radish]

1. Drive down random street.
2. Stop outside random house.
3. Check inside mailbox - you now have name & address.
4. Hang around a bit on a weekend, you now have an actual family in front of you!

I'm all about protecting privacy, but the ability to get the name and address of a random person is hardly new. What's more dangerous (and I don't think is really possible here) is the ability to get the name and address of a _specific_ person. The security concern in this situation (AFAIC) is the ability for people to randomly snarf photos you thought were at least reasonably private, and the ability to insert stuff into your frame.

Re:Not difficult to track down actual users

[natehoy]

With respect, your scenario is extremely impractical. I can't think of a single benefit using a hacked Kodak frame would offer to the would-be pedophile.

Kodak frames exist across the country. The pedophile would have to hack random frames one by one and look at pictures to narrow pictures down to:
(a) a victim they like,
(b) that they can then verify actually lives in the house and isn't a grandparent's house or something,
(c) whose parents have put enough information on the frame to be identified and located,
(d) in close enough proximity to them to make it feasible.
Then, they'd still have to collect enough information to figure out when the child might be unattended so they can attempt a kidnapping, or figure out some other means of luring the child away.

In other words, the frame offers them almost no useful information, and takes a great deal more time and effort than a Facebook search (which yields far more data AND offers a way to contact the victim) or just getting in their car and driving randomly around school zones watching for kids walking home alone, then figuring out what general direction they are headed. Or just driving around looking for a kid walking alone.

If the pedophile wants pictures of your kids taking a bath, OK, I can see this being a risk if you're uncomfortable with someone spanking off to pictures of your kids. I know the concept of it happening with a picture of my daughter makes my skin crawl.

And Kodak needs to fix this or recall their frames (or sell them as an interesting social experiment in digital graffiti - I might pay a few bucks for one and publish its URL just out of sheer curiosity about what random strangers might post to it).

But they don't need to recall it to protect children from being kidnapped.

Re:Not difficult to track down actual users

[SanityInAnarchy]

Actually, yeah. American consumers do pretty much need that kind of a kick in the balls before they'll take action.

Re:Not difficult to track down actual users

[FiloEleven]

"This device is insecure" is too weak. "YOU'VE BEEN HACKED" in big red letters with further details below is the way to go. Eye-catching, and likely to get a response, especially if there's a number to call--keep in mind that most people are more comfortable with phones than the internets.

Putting goatse on there is irresponsible and unhelpful, especially in cases where the person who set up the channel is not the person displaying the frame (think grandma). Don't try to dress up your lulz as something they're not.

Doesn't surprise me

[Kaz+Riprock]

Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.

I mean, who lets the frame go on the internet and builds in a timer for when to turn the frame off and on at night...but then when it comes back on it ONLY goes to its own internal memory and NOT the last gallery you were viewing via the WiFi?? Every morning you have to reconnect it to the internet galleries...and its ability to cache the pics from the internet is so poor that it will often claim it has an "error" and...REVERT BACK TO INTERNAL MEMORY! It's next to impossible to use it to view galleries on the internet...that can ONLY be on their website...AND that they're now CHARGING you to keep "active"!

So, no, it doesn't surprise me at all that they could screw even this basic security up.

Re:Doesn't surprise me

[vlm]

Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.

I've noticed that problem is nearly universal across the entire pic frame marketplace. I swear the manufacturers are trying to kill the marketplace by intentionally making frame with horrific UIs.

Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service. Not some 3rd party that'll probably be out of business before the batteries die. Not some special format only. Just freaking show me the pix. And please no BS about processing power as everyone knows a 8 MHz XT in the 80s was good enough to view Pr0n so don't give me some BS that a dedicated 100 MHz process "could never possibly display a picture without preprocessing".

Why can't I buy a frame that simply displays a URL? Heres the webcam IMG tag, now download it every 60 minutes and leave me alone? Again no stupid third party subscription BS please?

Why can't I buy a frame that simply watches for a specific browsable SMB share and directory, and every time it appears on the network, sync to the local copy, plus sync every 15 minutes thereafter?

All I can find to purchase is either flash card only, or if its networked its absolute junk garbage.

Unless some manufacturer will build one that doesn't suck (and I got a pocket full of cash I'm willing to spend), I'm going to have to wall mount a plain ole LCD monitor, get one of those "video over Cat-5 balun thingys" and run a low power PC in my basement. I swear I'm gonna do it this year (is that the geekiest 2010 new years resolution ever?)

Re:Doesn't surprise me

[Skraut]

Agree 100% Wife bought me a frame for Christmas that she found in a grocery store, I read the box and made her take it back. Then my parents got her the same exact frame. Horrible resolution, no wireless features, the darn thing couldn't even play the photos randomly, just play them sequentially.

Re:Doesn't surprise me

[Neeth]

How about this one?

Re:Doesn't surprise me

[wowbagger]

"Why can't I buy a frame that simply displays a URL?"
"Why can't I buy a frame that simply watches for a specific browsable SMB share and directory, and every time it appears on the network, sync to the local copy, plus sync every 15 minutes thereafter?"
"Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service."

Because then how can the manufacturer of the frame monitize you from a worthless waste of baryonic matter into a shining revenue stream? You forget your place, consumer: you are to consume product and crap cash on demand, month in, month out. Now get to work!

Re:Doesn't surprise me

[machine321]

Perhaps you should have purchased a Chumby, although most people would balk at a 4" picture frame for $100.

Re:Doesn't surprise me

[nanomanc]

So make one then.

Re:Doesn't surprise me

[Just+Some+Guy]

Why can't I buy a frame that simply displays a .RSS on the internet? [snip etc etc etc ]

You want a Chumby. Mine does all that, and you can SSH into it.

Re:Doesn't surprise me

[Achra]

Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service. Not some 3rd party that'll probably be out of business before the batteries die. Not some special format only. Just freaking show me the pix.

Actually, the Kodak EasyShare frames that we happen to be discussing have this feature. I own one, it's a weird little box, but you can definitely point it to whatever RSS feed you like. and No, mine isn't pointed to framechannel.

Re:Doesn't surprise me

[netsharc]

Hah, but you sort of can: set up your own DNS server on your router, resolve the server's name to your own server, and give it whatever feed you want. :)

OK that's more steps than "buy a frame that simply displays a .RSS on the internet", but... it would be a neat hack.

Re:How many people will get their brand new frame.

[tom17]

Oh god, it's happening already :( http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6a

Re:How many people will get their brand new frame.

[couchslug]

"How many people will get their brand new frame home, plug it in and find that it displays a "preloaded" goatse"

I now have a gift idea my friends will remember.

Looks like you can also reset accounts.....

[Ernesto+Alvarez]

I was checking some of the links and noticed a few interesting parameters

http://www.framechannel.com/feeds/pair/index.php/r=1/frameModelCode=KD9372/frameModelId=1/frameId=PAPAPA/reset=0/language=en/7072.jpg

See that parameter named reset? I activated an account and verified it as activating. Then I triggered that reset parameter to 1 and it went back to the pre-activation state!

Re:Looks like you can also reset accounts.....

[benjymous]

Ok, now it's nasty - until now you could randomly initialise an inactive (possibly never real in the first place) account. Now it seems to can find the real accounts, and reset them into nastyness.

Massive product recall ahoy

Re:Looks like you can also reset accounts.....

[mike260]

Yep, verified.
Mod parent up - as someone else said, this enables a whole new level of nastiness.

Re:Looks like you can also reset accounts.....

[laughing_badger]

So, a script that changes the content for a video of Obama looking around the room for a few seconds at a random time every few days and then restores the original content. That would probably send some paranoid folks nucular.

Re:Looks like you can also reset accounts.....

[Edzilla2000]

A simple script, and every single account wiped clean... That's even better than the goatse idea!!

Re:Looks like you can also reset accounts.....

[mike260]

They really need to take this site down now.

From your mouth to the framemedia's ears:
"We are unable to activate your frame at this time. Please email support@framemedia.com for help resolving this issue."

Re:Looks like you can also reset accounts.....

[argStyopa]

"That would probably send some paranoid folks nucular." ...or give the White House some new ideas. Thanks a bunch.

Re:Looks like you can also reset accounts.....

[Culture20]

So, a script that changes the content for a video of Obama looking around the room for a few seconds at a random time every few days and then restores the original content. That would probably send some paranoid folks nucular.

*Smoke*


*Smoke*

Are you smoking yet?

Re:Looks like you can also reset accounts.....

[discojohnson]

The firmware is self-updating over the web, so if they made the service smarter, it'd be a relatively easily implemented fix. I have one of these, but then again I use my local UPnP server for my frames.

New Name for company (or device)

[galego]

PwnDak

Re:FrameChannel content for goatse2600

[DevConcepts]

http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6A Have fun just changing ID... FrameChannel content for goatse2600 http://www.framechannel.com/ Channel for user goatse2600 2 Gaping Bunghole goatse2600 FALSE My Photos http://fs.framechannel.com/31c8c815fb7ed72689d48793be853def.jpg My Photos Tue, 05 Jan 2010 14:15:57 -0500

Switch activation codes, get someone elses pics?

Could be funny to swap the default activation pics (with the activation codes) so you upload your photos to someone elses photo frame and you get some randoms...

Serves them right

[wiredlogic]

They deserve this for gutting their engineering operations in Rochester. This is what you get when you farm out your product design to the lowest bidder in a far off land.

Simple reason WHY they did it...

[nweaver]

Its sloppy to do, but here's why they did it....

Each device needs a unique serial number, something to identify it. But at the same time, they didn't want to customize the firmware for each device to include a serial number.

So instead, some brilliant programmer observed that the embedded processor can get the MAC address from the NIC and use that as a serial number for accessing the web page.

This is an old and useful trick, but the only problem is although it gives you a unique serial number per device, it gives you a predictable serial number per device and because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number. Ooops.

Re:Simple reason WHY they did it...

[vlm]

because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number

Looks like the device also has a username ... A pity they didn't concatenate the username with the MAC and then MD5 hash it. That would be quite unpredictable, although there is no longer a guarantee of uniqueness (although collisions would be 'kind of rare')

Re:Simple reason WHY they did it...

[iburrell]

If they had just hashed the MAC address, it would be harder to predict and not obvious it came from the MAC address. Hashing it with a secret key (but shared key) would probably have been enough security. They would have a problem if the key was compromised but it could be model or firmware version specific.

Re:Simple reason WHY they did it...

[RealGrouchy]

UNPREDICTABLE serial number

Aren't serial numbers by definition produced in order?

(Of course this is just semantic; "ID number" would work.)

- RG>

Re:How many people will get their brand new frame.

[mortonda]

I felt a great disturbance in the Force. As if millions of eyes all cried out in terror, and were suddenly blinded.

"Cloudfeature"

[Errol+backfiring]

Can somebody mod this up please?
I like the sound of calling every security problem a "cloud feature". Suddenly it does not sound bad at all anymore!

Family Photos abound

Someone has a new baby (possible NSFW? baby nudity)
Someone recently graduated, and really likes hot air balloons
many random -- changed twice while posting this
Nice travel photography
Meh.
VERY NSFW - I'd hate to be the one who got this frame for grandma!
Stunning photography, too good to be theirs... damned image pirates
Cute kid; mom needs to wear sunblock
Cute baby pics
Wow. it's amazing what I'll do when bored, while WoW servers are down for patching.

Re:Family Photos abound

[WuphonsReach]

Looks like they've changed it so that unless you pass it a specific User Agent it won't display anything - anyone know what the user agent is?

The actual image storage filesystem..

http://fs.framechannel.com/

returns an xml document with :

fs.framechannel.com

1000
true .jpg
2008-11-12T18:43:37.000Z
"25b2916b5c49db617f52fa5ea48efee7"
4
STANDARD

0000193a728fd00b6cff91b8840bbf8d.jpg
2009-10-22T04:02:13.000Z
"3ec327314496f0d6d92467f399bfdba8"

http://fs.framechannel.com/0000193a728fd00b6cff91b8840bbf8d.jpg

gives you the image ..

This appears to be for all the "personal" content displayed in the frame..

Re:How many people will get their brand new frame.

[darthnoodles]

All unregistered frames now go to an error image. It states that they can't provide a registration number at this time. Looks like they caught on.

Any firmware hacks for older models?

[Oyjord]

I have Kodak's Easyshare EX811, one of their earlier models, and like some of the above posters, it's simply shocking how poor the firmware is in the device. It's a real near miss. The tech is there, the hardware is there, but the software feels like shackles on the user. Surely there are folks smarter than I in the open source community who've come up with their own, better firmware. I tried to Google some, but came up empty.

Re:Any firmware hacks for older models?

[dfsmith]

You can get a little ways by playing with UPnP, but it's still a horrible system. I took a quick look at the firmware in the EX811, but it would be cheaper to get a netbook and detach the screen than try to hack this picture frame. B-(

"Easyshare" - no kidding.

[kriegsman]

I gave a couple of these for the holidays this year thinking that this would be a great way for family to share pictures but we had an unbelievably difficult time getting them to share what we wanted when we wanted.

Thank goodness that's all solved now!

Other things to think about

remember that framechannel also has plugins for ROKU boxes and many many other devices other than frames.

Hack: Use other RSS feed via redirects

[superswede]

The hardware seems to be hardwired to framechannel.com. By using a (wireless) router that can either

  1. do URL redirects, or
  2. use a custom DNS service

it should be possible to use an alternative service, or setup your own RSS feed. There are lots of things you then could to.

Also, it would be possible to "hide" behind a hard-to-guess RSS URL, or possibly have the RSS server to only respond to certain IP numbers.

Unique IDs are there, but unused

[Exp315]

I have the Kodak W1020 10" WiFi frame. It does have a unique serial number which is available on the web interface. When I signed up for FrameChannel, I had to provide a 4-digit ID displayed by the frame (don't remember now what it was, or whether it was related to the serial number or the MAC address, and it can't be displayed again without re-initializing the frame). To connect to my Kodak Gallery online account, I had to provide the frame with my email address and password. To sign in to FrameChannel on the web, I have to provide a username and password. In the My FrameChannel Advanced Settings there is a 4-digit PIN number (purpose undocumented).

So, in summary, every bit of capability needed for security is there, awaiting a quick firmware update. It was just a bit of carelessness that FrameChannel didn't think hard enough about security in the first place. I'm willing to forgive this as long as they get together with Kodak quickly and issue a security update - it's a pretty new service, and they are still evolving rapidly. I certainly would never put any private/confidential photos on a web server of any kind. Anyone that does is naive to think it's secure. But I don't want morons defacing my frame contents.

FrameChannel has already made a change

[Exp315]

In the last 15 minutes the RSS url field has disappeared from the FrameChannel Advanced Settings dialog box. What good this will do I don't know, since the main vulnerability is that anyone can enter an existing predictable RSS url.

"Flight to Vegas Delayed"

[DingerX]

Well, someone sure is getting a jump on the pre-CES media hype. A conspiracy theorist would suggest that this Corey Halverson dude over in Seattle was slipped some info by his buddies over in Redmond working on a competing product, and looking to exclude a VC-funded startup right when they start gaining traction. That would explain why his blog only has three posts, and why he brought this up right before CES.

Me, I take this as an object lesson for what happens when you dump your product on woot, and when you don't bother to make even the slightest effort at security.

This truly is a PR nightmare, but will make a good plot mechanic in next season's procedural dramas.

Not Just Kodak?

[ralphrmartin]

If you go to the framechannel website, you can find a link claiming you can share photos with a whole bunch of manufacturers' devices:

The FAQ here:http://www.framechannel.com/FAQ/#FRAME_LIST
sends you here: http://www.wirelesspictureframe.com/company-listing/
where you can see this list:

FrameChannel Wireless Digital Picture Frames
Kodak
D-Link
Philips Electronics
Samsung
Digital Spectrum, Inc.
PhotoVu
Edge Tech Corporation
InTouch
Motorola
Pix-Star
Toshiba

Other Digital Picture Frames
Bigeframe
Fidelity Electronics, Inc.
KoolVu
Pandigital
Parrot
PF Digital, Inc.
Polaroid Corpoation [their typo, not mine!]
Portable USA
Royal
Sungale Group, Inc.
Westinghouse Digital Electronics

Wonder if they can block by User-Agent

[Bretski]

A quick fix that would get 99.9% of us out of people's pics, if the User-Agent string is something unique to the frames. This would only allow HTTP requests from frames, not from desktop browsers. Yes, we can change our user agent string on the desktop browser to match, but like I say - 99.9% of people wouldn't know how.

Re:Wonder if they can block by User-Agent

[Mr.+DOS]

99.9% of people don't know how to do the simple URL-based thing we're doing here, either.

      --- Mr. DOS

Re:Wonder if they can block by User-Agent

All FrameChannel has to do is immediately turn off the ability to connect to RSS feeds by MAC address. They already have an alternative capability to connect by username/password, and the Kodak frames already support it. Users may be temporarily annoyed at having to change their connect method on the frame, but Kodak can fix that later with a firmware update.

As for registering a frame in the first place, each frame also has a unique serial number, so it would be pretty easy for FrameChannel to tighten up the registration procedure by requiring all new registrations of Kodak frames to provide their serial number as well as the ID code.

Or photoshop their existing pictures

[tlambert]

Or you could photoshop their existing pictures to put their subjects into compromising or illegal situations.

The resolution on these things and the typical images uploaded to the server is low enough that you could probably make it very hard for even an expert to detect that they were fakes, just by looking at the picture.

-- Terry

Kodak frantically deleting/resetting feeds

[Areyoukiddingme]

This one is long gone, as are the other two featuring nudity.

Ok, people, prove the old adage. If it's uploaded to the Internet, it's there forever. I expect links to a picture sharing site (that allows explicit pictures) before the day is out, with corroborating posts from those who saw them.

Aka pics or it didn't happen. :)

Re:Kodak frantically deleting/resetting feeds

[iPhr0stByt3]

Well, it DID happen... but it looks like the above method no longer works, so at least until someone takes the time to sniff the "new" rss url for the framechannel feed we're safe ;).

Re:Kodak frantically deleting/resetting feeds

[iPhr0stByt3]

It would seem that the originally mentioned framechannel URL is not the only privacy issue. That particular RSS feed (with the MAC address in the URL) only pulls public information. "Wait" you say, "I put my naked butt in my private flickr collection, not the public one". The next privacy breach is the picture store of framechannel. Try

http://fs.framechannel.com

Then chose a random .jpg from the XML and add to the end of that URL. Like this:

http://fs.framechannel.com/47df05c1e351a795fe95a66feb09ad64.jpg

redirect...

It seems they now redirect everything to there default National Geographic feed.. Did they already implement Bretski's idea and starting filtering on useragent ? Anybody got this model that can validate if its still working on the device and if so sniff and see what useragent it is using..

Re:Not cool...

[maokh]

It was my own RSS link I posted, which the service provider provided me to share with whomever. You are looking at pictures of my family, my kids, my facebook, etc. How is this poor form?