Forgot your password?
typodupeerror
Privacy Security

Kodak Wireless Picture Frames Open To Public 185

Posted by kdawson
from the look-ma-a-picture-of-a-goat dept.
Jaxoreth writes "The Kodak Easyshare Wireless Digital Picture Frame displays images via a per-frame RSS feed hosted by FrameChannel. Each frame's URL is identical except for a parameter matching its particular MAC address, enabling public browsing of users' feeds. And worse, if you reach the feed of a not-yet-activated frame, it gives you the code to activate it, allowing you to preload it with whatever content you choose."
This discussion has been archived. No new comments can be posted.

Kodak Wireless Picture Frames Open To Public

Comments Filter:
  • Would this constitute a zero day vulnerability?
    • by fuzzyfuzzyfungus (1223518) on Tuesday January 05, 2010 @09:14AM (#30653826) Journal
      It bloody well would, unless the gaping black hole of goatse man in a million homes across the country qualifies as "defense in depth"...
      • by Spad (470073)

        With the level of captcha-beating OCR software out there these days you could probably automate a scan of the entire MAC address space for Kodak, activate any available frames and upload whatever you wanted into all of them, which would be "interesting".

        • by fuzzyfuzzyfungus (1223518) on Tuesday January 05, 2010 @09:44AM (#30654022) Journal
          If one were a truly awful person, one could probably maximize the damage by going with less horrifying images...

          Classic shock site stuff turns the stomach; but, for that reason, is a pretty implausible thing to have show up outside of a hack.

          A steady stream of sexual but more or less pedestrian pictures, on the other hand, is a much more plausible thing for somebody who has a little something to hide from his/her family/significant other/doting grandparents to accidentally upload to the wrong location.

          For pure nausea you can't really beat the classics; but for pure evil, the more plausible, the better...
          • by durrr (1316311) on Tuesday January 05, 2010 @10:32AM (#30654482)
            For maximum damage; child pornography.
            I'm sure you are all more than capable of imagining the fallout without any further explanation; it's hard to find anything being more of the .jpeg equivalent of nuclear weapons.
          • by xaxa (988988)

            By the way, don't look at the photostreams. There's a link to one in the article, and (as of the time of this comment) it's just an activation screen, but a few MAC addresses lower and the pictures are all shock stuff.

          • Re: (Score:3, Interesting)

            by Idiomatick (976696)
            I think the best would be to take someone's photos that they have uploaded already... And photoshop them. Nothing OBVIOUS... subtle... make them a bit fatter... little more greasy and maybe slightly unsymmetrical. Over the course a few months you could crush a sufficiently vain person.
          • Or you could photoshop their existing pictures to put their subjects into compromising or illegal situations.

            The resolution on these things and the typical images uploaded to the server is low enough that you could probably make it very hard for even an expert to detect that they were fakes, just by looking at the picture.

            -- Terry

    • by burni2 (1643061) on Tuesday January 05, 2010 @09:26AM (#30653920)

      No don't mess yourself up in the first place.

      It's called a cloudfeature being so it's not a bug it's a KODAK ;)

      Share your memories and your nude girlfriends with your friends, enemies, law enforcement agencies and employers - and clouds[1].

      [1]http://www.myspace.com/developerchallenge

    • Would this constitute a zero day vulnerability?

      ummm, do you have something less than that? The account can be pooched before the user ever opens the box containing the device... to me that's less than zero. I just tried the RSS feed in the story, altered the hex address and yes, I could have set up a device that has yet to be unboxed... Wow, someone's ass is going on the block because you just know that a ton of goatsee, porn, and disturbing images are going to go into these accounts.

  • by Arker (91948) on Tuesday January 05, 2010 @09:16AM (#30653834) Homepage Journal

    Havent thought about this for awhile, but IIRC the first three octets are supposed to indicate the manufacturer of the device, so if we can assume the NIC in these frames is always from the same manufacturer, the address space to search becomes much smaller. Still, it's going to be pretty huge, with probably the largest number of possible URLs invalid, and most of the valid ones full of normal junk no one but family/friends really want to see anyhow. The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.

    If you see anything good, or even just really strange, be sure and post it here!

    • by dunezone (899268) on Tuesday January 05, 2010 @09:19AM (#30653870) Journal

      If you see anything good, or even just really strange, be sure and post it here!

      Nice try TMZ.

    • 00:DE:AD:BE:EF

      Only the finest MAC address white-listing security for MY wireless gear.

    • by vlm (69642)

      The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.

      Just remember, goatse works both ways....

      Buy a frame for $50, upload goatse to it, for gods sake put the frame face down on the desk with a post it ordering everyone to not look at it, if not outright duct taping it, and you can goatse a "frame-scanner" or whatever you want to call them...

      As a side issue, Kodak probably knows what MACs they've sold (or do they?) so they could put up a VERY special page for framescanners of MACs that have never been manufactured. Two girls one frame, or something.

      • by xaxa (988988)

        Like this one? [framechannel.com] (NSFW! Even for those of us in Europe.)

        It seems the registration process doesn't require anything more than the "activation code", which is shown in the RSS feeds for unactivated frames.

        • by tom17 (659054)
          It seems to have been reset. I wonder if the creator de-activated it, or if the FrameChannel guys have been deleting the newly registered 'hacked' ones due to excessive traffic or something...

          Tom...
    • by AmiMoJo (196126)

      with probably the largest number of possible URLs invalid

      What are the chances they are sequentially numbered?

    • Re: (Score:2, Informative)

      by darthnoodles (831210)
      All unregistered frames now go to an error image. It states that they can't provide a registration number at this time. Looks like they caught on.
    • by Tensor (102132)
      racy like this ? NSFW obviously

      http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6e
  • Best "you've been p0wned" slideshow set. Post URL when done.
  • Luckily... (Score:4, Interesting)

    by fuzzyfuzzyfungus (1223518) on Tuesday January 05, 2010 @09:18AM (#30653854) Journal
    MAC addresses are in no way predictable based on the company producing the product in question, so we should be perfectly safe.

    Sarcasm aside, how could they possibly have thought that this was a good idea? Nobody expects Joe Consumer to remember something as hostile as a MAC address, so there isn't a "user convenience" argument to be made, and anything with enough processor power and mass storage to run these sorts of web functions could have gotten away with cramming in an onboard GUID or some certs or something. WTF?
    • by drinkypoo (153816)

      It's pretty obvious, they printed the MAC on the device, and were looking for a unique code to use for the password that wasn't the serial number.

      I'm hoping I can hack my HP photo frame, it's got USB2, CF, and SD! It plays fullscreen video very nicely (I transcoded a DVD to it with ogmrip) and I would guess it's got some cojones.

  • cue ... (Score:2, Insightful)

    by Anonymous Coward
    /. effect across the entire product line. Be polite and don''t load them with tubgirl.
  • by Chrisq (894406) on Tuesday January 05, 2010 @09:22AM (#30653880)
    How many people will get their brand new frame home, plug it in and find that it displays a "preloaded" goatse
  • Well... (Score:3, Interesting)

    by benjymous (69893) on Tuesday January 05, 2010 @09:24AM (#30653904) Homepage

    It seems you get an RSS feed with an activation code no matter what you enter for the frameid (it doesn't even seem to have to be a valid MAC address) so it seems they're not filtering on the server for addresses that actually belong to frames

    • Re:Well... (Score:5, Interesting)

      by Ernesto Alvarez (750678) on Tuesday January 05, 2010 @09:50AM (#30654072) Homepage Journal

      Even more interesting, using an id of "'" (an apstrophe) gets you some sort of default channel with some rather nice pictures. They even change them after some time.

      http://rss.framechannel.com//productId=KD9371/frameId=' [framechannel.com]

      I wonder what's happening behind curtains.

      • by benjymous (69893)

        Considering that the activation code has 5 alphabetic characters, I'd guess the process works something like:

        Frame requests a page based on its MAC
        Server has no record, so it generates a new feed, creates a (random?) activation code, and logs this in its database
        User sees the message, enters the activation code online, which is retrieved from the db.

        5 digits doesn't give many options. What happens if they all get used up when people start scanning and generating fake IDs? Will the database just fall over,

        • I meant what was going on with the apostrophe business.
          What sort of logic would get the default feed.

          (I was honestly expecting a database error....)

        • by mike260 (224212)

          5 digits doesn't give many options.

          It's 5 alphanumeric chars, so that's around 60m combinations. A limit of 60m activations in-flight at any one time seems reasonable to me.

          • by benjymous (69893)

            Ahh, you right - the few I tried all seemed to be alphabetic only, which would've rather limited the pool

      • Re: (Score:2, Funny)

        I wonder what's happening behind curtains.

        Screaming. Finger pointing, witch-hunts and frantic resume polishing. The usual.

  • by bluefoxlucid (723572) on Tuesday January 05, 2010 @09:45AM (#30654032) Journal
    And of course, we live in a world where every 13 year old is going to look at this and go, "Sweet! When the next guy buys one of these things, he's going to see pictures of dicks!"
  • by jomegat (706411) on Tuesday January 05, 2010 @09:48AM (#30654058)
    The really sad thing here is that if some white hat wrote a script to find these and upload to them an image warning the owners of the vulnerability, said white hat would almost certainly get smacked down by a DMCA suit or face civil/criminal penalties. No good deed goes unpunished.
  • by Anonymous Coward on Tuesday January 05, 2010 @09:53AM (#30654102)

    1. Play with the MAC address to find a live frame. It took me 4 tries.
    2. Scroll down and see if one of their images is the weather forecast, complete with the city and state for the forecast.
    3. Now look at the userid. It likely contains a first initial and a last name.
    4. City, state, last name, first initial -- that may very well be enough to get a street address.
    5. Most people have pics of their family, including their kids. You've got a name, address, and photos of the fam.

    It seems to me that goatse/tubgirl -ing these things is the only responsible thing to do. Sure, a few dozen (hundred?) people will have to gouge their eyes out, but it's a small sacrifice necessary to generate consumer push back on this kind of nonsense.

    • by radish (98371)

      1. Drive down random street.
      2. Stop outside random house.
      3. Check inside mailbox - you now have name & address.
      4. Hang around a bit on a weekend, you now have an actual family in front of you!

      I'm all about protecting privacy, but the ability to get the name and address of a random person is hardly new. What's more dangerous (and I don't think is really possible here) is the ability to get the name and address of a _specific_ person. The security concern in this situation (AFAIC) is the ability for peopl

    • by natehoy (1608657)

      With respect, your scenario is extremely impractical. I can't think of a single benefit using a hacked Kodak frame would offer to the would-be pedophile.

      Kodak frames exist across the country. The pedophile would have to hack random frames one by one and look at pictures to narrow pictures down to:
      (a) a victim they like,
      (b) that they can then verify actually lives in the house and isn't a grandparent's house or something,
      (c) whose parents have put enough information on the frame to be identified and locat

  • Doesn't surprise me (Score:3, Interesting)

    by Kaz Riprock (590115) on Tuesday January 05, 2010 @09:56AM (#30654118)

    Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.

    I mean, who lets the frame go on the internet and builds in a timer for when to turn the frame off and on at night...but then when it comes back on it ONLY goes to its own internal memory and NOT the last gallery you were viewing via the WiFi?? Every morning you have to reconnect it to the internet galleries...and its ability to cache the pics from the internet is so poor that it will often claim it has an "error" and...REVERT BACK TO INTERNAL MEMORY! It's next to impossible to use it to view galleries on the internet...that can ONLY be on their website...AND that they're now CHARGING you to keep "active"!

    So, no, it doesn't surprise me at all that they could screw even this basic security up.

    • Re: (Score:3, Insightful)

      by vlm (69642)

      Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.

      I've noticed that problem is nearly universal across the entire pic frame marketplace. I swear the manufacturers are trying to kill the marketplace by intentionally making frame with horrific UIs.

      Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service. Not some 3rd party that'll probably be out of business before the batteries die. Not some special format only. Just freaking show me the pix. And please no BS about processing power as everyone knows a 8 MHz XT in

      • by Skraut (545247)
        Agree 100% Wife bought me a frame for Christmas that she found in a grocery store, I read the box and made her take it back. Then my parents got her the same exact frame. Horrible resolution, no wireless features, the darn thing couldn't even play the photos randomly, just play them sequentially.
      • by wowbagger (69688) on Tuesday January 05, 2010 @10:30AM (#30654458) Homepage Journal

        "Why can't I buy a frame that simply displays a URL?"
        "Why can't I buy a frame that simply watches for a specific browsable SMB share and directory, and every time it appears on the network, sync to the local copy, plus sync every 15 minutes thereafter?"
        "Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service."

        Because then how can the manufacturer of the frame monitize you from a worthless waste of baryonic matter into a shining revenue stream? You forget your place, consumer: you are to consume product and crap cash on demand, month in, month out. Now get to work!

      • Re: (Score:3, Informative)

        by Just Some Guy (3352)

        Why can't I buy a frame that simply displays a .RSS on the internet? [snip etc etc etc ]

        You want a Chumby [chumby.com]. Mine does all that, and you can SSH into it.

      • by Achra (846023)

        Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service. Not some 3rd party that'll probably be out of business before the batteries die. Not some special format only. Just freaking show me the pix.

        Actually, the Kodak EasyShare frames that we happen to be discussing have this feature. I own one, it's a weird little box, but you can definitely point it to whatever RSS feed you like. and No, mine isn't pointed to framechannel.

      • by netsharc (195805)

        Hah, but you sort of can: set up your own DNS server on your router, resolve the server's name to your own server, and give it whatever feed you want. :)

        OK that's more steps than "buy a frame that simply displays a .RSS on the internet", but... it would be a neat hack.

  • by Ernesto Alvarez (750678) on Tuesday January 05, 2010 @10:08AM (#30654248) Homepage Journal

    I was checking some of the links and noticed a few interesting parameters

    http://www.framechannel.com/feeds/pair/index.php/r=1/frameModelCode=KD9372/frameModelId=1/frameId=PAPAPA/reset=0/language=en/7072.jpg [framechannel.com]

    See that parameter named reset? I activated an account and verified it as activating. Then I triggered that reset parameter to 1 and it went back to the pre-activation state!

  • They deserve this for gutting their engineering operations in Rochester. This is what you get when you farm out your product design to the lowest bidder in a far off land.

  • by nweaver (113078) on Tuesday January 05, 2010 @11:01AM (#30654880) Homepage

    Its sloppy to do, but here's why they did it....

    Each device needs a unique serial number, something to identify it. But at the same time, they didn't want to customize the firmware for each device to include a serial number.

    So instead, some brilliant programmer observed that the embedded processor can get the MAC address from the NIC and use that as a serial number for accessing the web page.

    This is an old and useful trick, but the only problem is although it gives you a unique serial number per device, it gives you a predictable serial number per device and because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number. Ooops.

    • by vlm (69642)

      because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number

      Looks like the device also has a username ... A pity they didn't concatenate the username with the MAC and then MD5 hash it. That would be quite unpredictable, although there is no longer a guarantee of uniqueness (although collisions would be 'kind of rare')

  • Family Photos abound (Score:2, Interesting)

    by Anonymous Coward
    Someone has a new baby (possible NSFW? baby nudity) [framechannel.com]
    Someone recently graduated, and really likes hot air balloons [framechannel.com]
    many random -- changed twice while posting this [framechannel.com]
    Nice travel photography [framechannel.com]
    Meh. [framechannel.com]
    VERY NSFW - I'd hate to be the one who got this frame for grandma! [framechannel.com]
    Stunning photography, too good to be theirs... damned image pirates [framechannel.com]
    Cute kid; mom needs to wear sunblock [framechannel.com]
    Cute baby pics [framechannel.com]
    Wow. it's amazing what I'll do when bored, while WoW servers are down for patching.
    • Looks like they've changed it so that unless you pass it a specific User Agent it won't display anything - anyone know what the user agent is?
  • I gave a couple of these for the holidays this year thinking that this would be a great way for family to share pictures but we had an unbelievably difficult time getting them to share what we wanted when we wanted.

    Thank goodness that's all solved now!

  • I have the Kodak W1020 10" WiFi frame. It does have a unique serial number which is available on the web interface. When I signed up for FrameChannel, I had to provide a 4-digit ID displayed by the frame (don't remember now what it was, or whether it was related to the serial number or the MAC address, and it can't be displayed again without re-initializing the frame). To connect to my Kodak Gallery online account, I had to provide the frame with my email address and password. To sign in to FrameChannel on
    • In the last 15 minutes the RSS url field has disappeared from the FrameChannel Advanced Settings dialog box. What good this will do I don't know, since the main vulnerability is that anyone can enter an existing predictable RSS url.

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...