Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kodak Wireless Picture Frames Open To Public

Posted by kdawson on from the look-ma-a-picture-of-a-goat dept.

Jaxoreth writes "The Kodak Easyshare Wireless Digital Picture Frame displays images via a per-frame RSS feed hosted by FrameChannel. Each frame's URL is identical except for a parameter matching its particular MAC address, enabling public browsing of users' feeds. And worse, if you reach the feed of a not-yet-activated frame, it gives you the code to activate it, allowing you to preload it with whatever content you choose."

42 of 185 comments (clear)

  1. Re:zero day vulnerability? by fuzzyfuzzyfungus · · Score: 4, Funny

    It bloody well would, unless the gaping black hole of goatse man in a million homes across the country qualifies as "defense in depth"...

  2. Mac address anatomy by Arker · · Score: 4, Insightful

    Havent thought about this for awhile, but IIRC the first three octets are supposed to indicate the manufacturer of the device, so if we can assume the NIC in these frames is always from the same manufacturer, the address space to search becomes much smaller. Still, it's going to be pretty huge, with probably the largest number of possible URLs invalid, and most of the valid ones full of normal junk no one but family/friends really want to see anyhow. The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.

    If you see anything good, or even just really strange, be sure and post it here!

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
    1. Re:Mac address anatomy by dunezone · · Score: 3, Funny

      If you see anything good, or even just really strange, be sure and post it here!

      Nice try TMZ.

    2. Re:Mac address anatomy by fuzzyfuzzyfungus · · Score: 4, Insightful

      Anybody else notice the "/productId=KD9371" bit of the URL? It would appear that this "framechannel" service either is, or is designed to be able to be, the backend to multiple digital-photo-frame products, possibly including those from other manufacturers. I couldn't find any other valid product IDs, but that was only in 30 seconds of putting in random strings, not a real effort.(and they claim )

      I'd say, until given compelling evidence otherwise, that any product using FrameChannel as a backend is Fucked. Worse, there may well be nothing that FrameChannel can do about it without breaking the service for all existing devices in the field. I'm sure, in principle, that those devices are firmware upgradeable(almost definitely just an embedded OS on a chunk of flash, with a weedy little ARM or MIPS SoC); but there is no assurance at all that the device manufacturers will offer one, nor does having to apply a critical firmware upgrade really fit well with the "ready for use by Grandma" image that the photoframes would really like to cultivate.

      I would say that we are looking at a much wider problem. This isn't just some hardware company fucking up the service that they hacked together as an afterthought to support their hardware product. This is a service provider company, whose service is integrated into hardware from over a dozen manufacturers, whose core service is completely broken and absurdly insecure. All it would take is one marginally tech-competent journalist to find a couple of baby pictures and/or a frame preloaded with 2-girls 1-cup to kick these guys so hard in the stock price that their investors' children won't be able to sit down for a month....

    3. Re:Mac address anatomy by Ernesto+Alvarez · · Score: 2, Interesting

      Try KD9372.

      Also go to the registration page and you'll see a few models. Dunno about the model codes, though.

      --
      GPG 0x1B479C78
    4. Re:Mac address anatomy by fuzzyfuzzyfungus · · Score: 2, Insightful

      I messed up the link. It should be their claimed list of devices.

      Also, the company behind this service is Thinking Screen Media. This sort of thing is, in fact, their core business.

      The above link has linkedin profiles for their entire management team and board of directors. Who wants to break the news?

    5. Re:Mac address anatomy by Nerdposeur · · Score: 3, Interesting

      I just sent them an email with a link to this story and urged them to act quickly. This is funny and all, but will someone please think of the grandmas?

    6. Re:Mac address anatomy by darthnoodles · · Score: 2, Informative

      All unregistered frames now go to an error image. It states that they can't provide a registration number at this time. Looks like they caught on.

    7. Re:Mac address anatomy by fuzzyfuzzyfungus · · Score: 2, Informative

      All addresses are now returning an identical "fmdefaultfeed", so it looks like they got a dirty hack in place. Probably a fair few bullets sweated, though.

      I just hope that the inevitable grudge firings fall on the guy who said "C'mon, unique keys will add manufacturing complexity, we'll just use MACs" rather than whatever poor bastard just did the implementation.

  3. so now we know the main plot point by circletimessquare · · Score: 3, Funny

    for "the ring ii"

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  4. Luckily... by fuzzyfuzzyfungus · · Score: 3, Interesting

    MAC addresses are in no way predictable based on the company producing the product in question, so we should be perfectly safe.

    Sarcasm aside, how could they possibly have thought that this was a good idea? Nobody expects Joe Consumer to remember something as hostile as a MAC address, so there isn't a "user convenience" argument to be made, and anything with enough processor power and mass storage to run these sorts of web functions could have gotten away with cramming in an onboard GUID or some certs or something. WTF?

  5. cue ... by Anonymous Coward · · Score: 2, Insightful

    /. effect across the entire product line. Be polite and don''t load them with tubgirl.

  6. How many people will get their brand new frame... by Chrisq · · Score: 4, Insightful

    How many people will get their brand new frame home, plug it in and find that it displays a "preloaded" goatse

  7. Well... by benjymous · · Score: 2, Interesting

    It seems you get an RSS feed with an activation code no matter what you enter for the frameid (it doesn't even seem to have to be a valid MAC address) so it seems they're not filtering on the server for addresses that actually belong to frames

    --
    Help me! I'm turning into a grapefruit!
    1. Re:Well... by Ernesto+Alvarez · · Score: 4, Interesting

      Even more interesting, using an id of "'" (an apstrophe) gets you some sort of default channel with some rather nice pictures. They even change them after some time.

      http://rss.framechannel.com//productId=KD9371/frameId='

      I wonder what's happening behind curtains.

      --
      GPG 0x1B479C78
    2. Re:Well... by ConstantiusChlorus · · Score: 2, Funny

      I wonder what's happening behind curtains.

      Screaming. Finger pointing, witch-hunts and frantic resume polishing. The usual.

  8. Re:zero day vulnerability? by burni2 · · Score: 5, Insightful

    No don't mess yourself up in the first place.

    It's called a cloudfeature being so it's not a bug it's a KODAK ;)

    Share your memories and your nude girlfriends with your friends, enemies, law enforcement agencies and employers - and clouds[1].

    [1]http://www.myspace.com/developerchallenge

  9. Actually this illustrates the problem well by Chrisq · · Score: 2, Funny

    This innocent person has posted pictures of children and some recognisable locations. All it takes is for some pedo pervert to fantasise over the pictures and track them down.

    1. Re:Actually this illustrates the problem well by Anonymous Coward · · Score: 4, Insightful

      Ofcourse, because tracking children down through compromised picture frames is so much more convenient for a person with malicious intent than just going to a local playground or primary school.

      I really dont understand this urge of blowing simple stories completely out of proportion by mentioning pedosexuals, muslims or the banking system.

    2. Re:Actually this illustrates the problem well by mike260 · · Score: 2, Insightful

      The frame would have switched back to the activation screen again. The owner would've scratched his head, shrugged, followed the activation instructions and re-upped his photos, innocent to the dark forces swirling beneath the surface of his friendly-looking gadgets.

  10. Re:zero day vulnerability? by fuzzyfuzzyfungus · · Score: 4, Insightful

    If one were a truly awful person, one could probably maximize the damage by going with less horrifying images...

    Classic shock site stuff turns the stomach; but, for that reason, is a pretty implausible thing to have show up outside of a hack.

    A steady stream of sexual but more or less pedestrian pictures, on the other hand, is a much more plausible thing for somebody who has a little something to hide from his/her family/significant other/doting grandparents to accidentally upload to the wrong location.

    For pure nausea you can't really beat the classics; but for pure evil, the more plausible, the better...

  11. Pictures of dicks by bluefoxlucid · · Score: 2, Funny

    And of course, we live in a world where every 13 year old is going to look at this and go, "Sweet! When the next guy buys one of these things, he's going to see pictures of dicks!"

    --
    Support my political activism on Patreon.
  12. Re:Not cool... by Anonymous Coward · · Score: 2, Interesting

    Some kind soul needs to put together an image that explains how insecure the system is and its ramifications, and upload it to all photo frames.

  13. The sad thing is... by jomegat · · Score: 4, Insightful

    The really sad thing here is that if some white hat wrote a script to find these and upload to them an image warning the owners of the vulnerability, said white hat would almost certainly get smacked down by a DMCA suit or face civil/criminal penalties. No good deed goes unpunished.

    --

    In theory, practice and theory are the same. In practice, they're not.

  14. Let's get it on... by Dri · · Score: 2, Funny

    http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:8a

    --
    Girls are strange. They don't come with a man page.
    -- Michael Mattsson
  15. Not difficult to track down actual users by Anonymous Coward · · Score: 3, Interesting

    1. Play with the MAC address to find a live frame. It took me 4 tries.
    2. Scroll down and see if one of their images is the weather forecast, complete with the city and state for the forecast.
    3. Now look at the userid. It likely contains a first initial and a last name.
    4. City, state, last name, first initial -- that may very well be enough to get a street address.
    5. Most people have pics of their family, including their kids. You've got a name, address, and photos of the fam.

    It seems to me that goatse/tubgirl -ing these things is the only responsible thing to do. Sure, a few dozen (hundred?) people will have to gouge their eyes out, but it's a small sacrifice necessary to generate consumer push back on this kind of nonsense.

    1. Re:Not difficult to track down actual users by Anonymous Coward · · Score: 4, Insightful

      Ah yes, the infamous false dichotomy. :) Because simply putting a "Your Photo Frame Has Been Hacked" message just wouldn't do. Only hard-core porn is appropriate.

  16. Doesn't surprise me by Kaz+Riprock · · Score: 2, Interesting

    Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.

    I mean, who lets the frame go on the internet and builds in a timer for when to turn the frame off and on at night...but then when it comes back on it ONLY goes to its own internal memory and NOT the last gallery you were viewing via the WiFi?? Every morning you have to reconnect it to the internet galleries...and its ability to cache the pics from the internet is so poor that it will often claim it has an "error" and...REVERT BACK TO INTERNAL MEMORY! It's next to impossible to use it to view galleries on the internet...that can ONLY be on their website...AND that they're now CHARGING you to keep "active"!

    So, no, it doesn't surprise me at all that they could screw even this basic security up.

    --
    Mordor...a magical, mythical land where women are more rare than dragons--but where every man would rather find a dragon
    1. Re:Doesn't surprise me by vlm · · Score: 2, Insightful

      Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.

      I've noticed that problem is nearly universal across the entire pic frame marketplace. I swear the manufacturers are trying to kill the marketplace by intentionally making frame with horrific UIs.

      Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service. Not some 3rd party that'll probably be out of business before the batteries die. Not some special format only. Just freaking show me the pix. And please no BS about processing power as everyone knows a 8 MHz XT in the 80s was good enough to view Pr0n so don't give me some BS that a dedicated 100 MHz process "could never possibly display a picture without preprocessing".

      Why can't I buy a frame that simply displays a URL? Heres the webcam IMG tag, now download it every 60 minutes and leave me alone? Again no stupid third party subscription BS please?

      Why can't I buy a frame that simply watches for a specific browsable SMB share and directory, and every time it appears on the network, sync to the local copy, plus sync every 15 minutes thereafter?

      All I can find to purchase is either flash card only, or if its networked its absolute junk garbage.

      Unless some manufacturer will build one that doesn't suck (and I got a pocket full of cash I'm willing to spend), I'm going to have to wall mount a plain ole LCD monitor, get one of those "video over Cat-5 balun thingys" and run a low power PC in my basement. I swear I'm gonna do it this year (is that the geekiest 2010 new years resolution ever?)

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:Doesn't surprise me by wowbagger · · Score: 4, Insightful

      "Why can't I buy a frame that simply displays a URL?"
      "Why can't I buy a frame that simply watches for a specific browsable SMB share and directory, and every time it appears on the network, sync to the local copy, plus sync every 15 minutes thereafter?"
      "Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service."

      Because then how can the manufacturer of the frame monitize you from a worthless waste of baryonic matter into a shining revenue stream? You forget your place, consumer: you are to consume product and crap cash on demand, month in, month out. Now get to work!

      --
      www.eFax.com are spammers
    3. Re:Doesn't surprise me by Just+Some+Guy · · Score: 2, Informative

      Why can't I buy a frame that simply displays a .RSS on the internet? [snip etc etc etc ]

      You want a Chumby. Mine does all that, and you can SSH into it.

      --
      Dewey, what part of this looks like authorities should be involved?
  17. Looks like you can also reset accounts..... by Ernesto+Alvarez · · Score: 4, Interesting

    I was checking some of the links and noticed a few interesting parameters

    http://www.framechannel.com/feeds/pair/index.php/r=1/frameModelCode=KD9372/frameModelId=1/frameId=PAPAPA/reset=0/language=en/7072.jpg

    See that parameter named reset? I activated an account and verified it as activating. Then I triggered that reset parameter to 1 and it went back to the pre-activation state!

    --
    GPG 0x1B479C78
    1. Re:Looks like you can also reset accounts..... by benjymous · · Score: 3, Interesting

      Ok, now it's nasty - until now you could randomly initialise an inactive (possibly never real in the first place) account. Now it seems to can find the real accounts, and reset them into nastyness.

      Massive product recall ahoy

      --
      Help me! I'm turning into a grapefruit!
    2. Re:Looks like you can also reset accounts..... by laughing_badger · · Score: 5, Funny

      So, a script that changes the content for a video of Obama looking around the room for a few seconds at a random time every few days and then restores the original content. That would probably send some paranoid folks nucular.

      --
      Help children born unable to swallow - www.tofs.org.uk
  18. Re:zero day vulnerability? by durrr · · Score: 5, Insightful

    For maximum damage; child pornography.
    I'm sure you are all more than capable of imagining the fallout without any further explanation; it's hard to find anything being more of the .jpeg equivalent of nuclear weapons.

  19. Re:zero day vulnerability? by OolimPhon · · Score: 3, Funny

    Oh, come on. Don't look at the photostreams with remaining eye.

  20. Simple reason WHY they did it... by nweaver · · Score: 3, Insightful

    Its sloppy to do, but here's why they did it....

    Each device needs a unique serial number, something to identify it. But at the same time, they didn't want to customize the firmware for each device to include a serial number.

    So instead, some brilliant programmer observed that the embedded processor can get the MAC address from the NIC and use that as a serial number for accessing the web page.

    This is an old and useful trick, but the only problem is although it gives you a unique serial number per device, it gives you a predictable serial number per device and because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number. Ooops.

    --
    Test your net with Netalyzr
  21. "Cloudfeature" by Errol+backfiring · · Score: 2, Funny

    Can somebody mod this up please?
    I like the sound of calling every security problem a "cloud feature". Suddenly it does not sound bad at all anymore!

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  22. Family Photos abound by Anonymous Coward · · Score: 2, Interesting

    Someone has a new baby (possible NSFW? baby nudity)
    Someone recently graduated, and really likes hot air balloons
    many random -- changed twice while posting this
    Nice travel photography
    Meh.
    VERY NSFW - I'd hate to be the one who got this frame for grandma!
    Stunning photography, too good to be theirs... damned image pirates
    Cute kid; mom needs to wear sunblock
    Cute baby pics
    Wow. it's amazing what I'll do when bored, while WoW servers are down for patching.

  23. Re:zero day vulnerability? by Qzukk · · Score: 2, Funny

    If I took some pictures from each person and shuffled them around to other people, would I be crossing the photostreams?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  24. "Flight to Vegas Delayed" by DingerX · · Score: 3, Interesting

    Well, someone sure is getting a jump on the pre-CES media hype. A conspiracy theorist would suggest that this Corey Halverson dude over in Seattle was slipped some info by his buddies over in Redmond working on a competing product, and looking to exclude a VC-funded startup right when they start gaining traction. That would explain why his blog only has three posts, and why he brought this up right before CES.

    Me, I take this as an object lesson for what happens when you dump your product on woot, and when you don't bother to make even the slightest effort at security.

    This truly is a PR nightmare, but will make a good plot mechanic in next season's procedural dramas.

  25. Re:zero day vulnerability? by Idiomatick · · Score: 2, Interesting

    I think the best would be to take someone's photos that they have uploaded already... And photoshop them. Nothing OBVIOUS... subtle... make them a bit fatter... little more greasy and maybe slightly unsymmetrical. Over the course a few months you could crush a sufficiently vain person.