Kodak Wireless Picture Frames Open To Public 185
Jaxoreth writes "The Kodak Easyshare Wireless Digital Picture Frame displays images via a per-frame RSS feed hosted by FrameChannel. Each frame's URL is identical except for a parameter matching its particular MAC address, enabling public browsing of users' feeds. And worse, if you reach the feed of a not-yet-activated frame, it gives you the code to activate it, allowing you to preload it with whatever content you choose."
zero day vulnerability? (Score:1)
Re:zero day vulnerability? (Score:5, Funny)
Re: (Score:2)
With the level of captcha-beating OCR software out there these days you could probably automate a scan of the entire MAC address space for Kodak, activate any available frames and upload whatever you wanted into all of them, which would be "interesting".
Re:zero day vulnerability? (Score:5, Insightful)
Classic shock site stuff turns the stomach; but, for that reason, is a pretty implausible thing to have show up outside of a hack.
A steady stream of sexual but more or less pedestrian pictures, on the other hand, is a much more plausible thing for somebody who has a little something to hide from his/her family/significant other/doting grandparents to accidentally upload to the wrong location.
For pure nausea you can't really beat the classics; but for pure evil, the more plausible, the better...
Re:zero day vulnerability? (Score:5, Insightful)
I'm sure you are all more than capable of imagining the fallout without any further explanation; it's hard to find anything being more of the
Re: (Score:2)
By the way, don't look at the photostreams. There's a link to one in the article, and (as of the time of this comment) it's just an activation screen, but a few MAC addresses lower and the pictures are all shock stuff.
Re:zero day vulnerability? (Score:4, Funny)
Oh, come on. Don't look at the photostreams with remaining eye.
Re: (Score:3, Funny)
If I took some pictures from each person and shuffled them around to other people, would I be crossing the photostreams?
Re: (Score:3, Interesting)
Or photoshop their existing pictures (Score:2)
Or you could photoshop their existing pictures to put their subjects into compromising or illegal situations.
The resolution on these things and the typical images uploaded to the server is low enough that you could probably make it very hard for even an expert to detect that they were fakes, just by looking at the picture.
-- Terry
Re:zero day vulnerability? (Score:5, Insightful)
No don't mess yourself up in the first place.
It's called a cloudfeature being so it's not a bug it's a KODAK ;)
Share your memories and your nude girlfriends with your friends, enemies, law enforcement agencies and employers - and clouds[1].
[1]http://www.myspace.com/developerchallenge
"Cloudfeature" (Score:3, Funny)
I like the sound of calling every security problem a "cloud feature". Suddenly it does not sound bad at all anymore!
Re: (Score:2)
Would this constitute a zero day vulnerability?
ummm, do you have something less than that? The account can be pooched before the user ever opens the box containing the device... to me that's less than zero. I just tried the RSS feed in the story, altered the hex address and yes, I could have set up a device that has yet to be unboxed... Wow, someone's ass is going on the block because you just know that a ton of goatsee, porn, and disturbing images are going to go into these accounts.
Re: (Score:2)
Mac address anatomy (Score:5, Insightful)
Havent thought about this for awhile, but IIRC the first three octets are supposed to indicate the manufacturer of the device, so if we can assume the NIC in these frames is always from the same manufacturer, the address space to search becomes much smaller. Still, it's going to be pretty huge, with probably the largest number of possible URLs invalid, and most of the valid ones full of normal junk no one but family/friends really want to see anyhow. The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.
If you see anything good, or even just really strange, be sure and post it here!
Re:Mac address anatomy (Score:4, Funny)
If you see anything good, or even just really strange, be sure and post it here!
Nice try TMZ.
Re: (Score:2)
00:DE:AD:BE:EF
Only the finest MAC address white-listing security for MY wireless gear.
Re: (Score:2)
my favourite: 00:FA:CE:FE:ED
and for some more fun hex strings: hexspeak [wikipedia.org]
Re: (Score:2)
The probability of one or two really nice racy pictures in there will no doubt motivate someone to search the space eventually though.
Just remember, goatse works both ways....
Buy a frame for $50, upload goatse to it, for gods sake put the frame face down on the desk with a post it ordering everyone to not look at it, if not outright duct taping it, and you can goatse a "frame-scanner" or whatever you want to call them...
As a side issue, Kodak probably knows what MACs they've sold (or do they?) so they could put up a VERY special page for framescanners of MACs that have never been manufactured. Two girls one frame, or something.
Re: (Score:2)
Like this one? [framechannel.com] (NSFW! Even for those of us in Europe.)
It seems the registration process doesn't require anything more than the "activation code", which is shown in the RSS feeds for unactivated frames.
Re: (Score:2)
Tom...
Re: (Score:2)
What are the chances they are sequentially numbered?
Re: (Score:2, Informative)
Re: (Score:2)
http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6e
Re:Mac address anatomy (Score:5, Insightful)
I'd say, until given compelling evidence otherwise, that any product using FrameChannel as a backend is Fucked. Worse, there may well be nothing that FrameChannel can do about it without breaking the service for all existing devices in the field. I'm sure, in principle, that those devices are firmware upgradeable(almost definitely just an embedded OS on a chunk of flash, with a weedy little ARM or MIPS SoC); but there is no assurance at all that the device manufacturers will offer one, nor does having to apply a critical firmware upgrade really fit well with the "ready for use by Grandma" image that the photoframes would really like to cultivate.
I would say that we are looking at a much wider problem. This isn't just some hardware company fucking up the service that they hacked together as an afterthought to support their hardware product. This is a service provider company, whose service is integrated into hardware from over a dozen manufacturers, whose core service is completely broken and absurdly insecure. All it would take is one marginally tech-competent journalist to find a couple of baby pictures and/or a frame preloaded with 2-girls 1-cup to kick these guys so hard in the stock price that their investors' children won't be able to sit down for a month....
Re: (Score:3, Interesting)
Try KD9372.
Also go to the registration page and you'll see a few models. Dunno about the model codes, though.
Re: (Score:2)
try TK321
Re: (Score:2)
I tried TK421, but it wasn't at its post.
Re: (Score:2)
Its not in the correct position.
Re: (Score:3, Insightful)
Also, the company behind this service is Thinking Screen Media [thinkingscreen.com]. This sort of thing is, in fact, their core business.
The above link has linkedin profiles for their entire management team and board of directors. Who wants to break the news?
Re:Mac address anatomy (Score:4, Interesting)
I just sent them an email with a link to this story and urged them to act quickly. This is funny and all, but will someone please think of the grandmas?
Re: (Score:3, Informative)
I just hope that the inevitable grudge firings fall on the guy who said "C'mon, unique keys will add manufacturing complexity, we'll just use MACs" rather than whatever poor bastard just did the implementation.
Re: (Score:2)
Remember that even possessing child pornography is a federal offence or something like that in the US. Even (probably especially) if you then delete the pictures without notifying the authorities.
Wouldn't it be interesting if someone were to send one of these picture frames to all the federal politicians in the US. And then made sure their particular frame would pull u
Re: (Score:2)
Instant slammer time for all politicians.
If they were regular people, maybe. Even then, decent investigative work should show that they were framed, so to speak (har har har). I know you're just joking, but can you imagine the uproar this would cause? Hilarious, to be sure, until the congresscritters use it as an excuse to legislate another rights-curbing abomination to control the internet in the name of protecting the children.
"Flight to Vegas Delayed" (Score:4, Interesting)
Me, I take this as an object lesson for what happens when you dump your product on woot, and when you don't bother to make even the slightest effort at security.
This truly is a PR nightmare, but will make a good plot mechanic in next season's procedural dramas.
Re: (Score:2)
Whoever owns that frame sure has some interesting family photos...
Actually this illustrates the problem well (Score:3, Funny)
Re:Actually this illustrates the problem well (Score:4, Insightful)
Ofcourse, because tracking children down through compromised picture frames is so much more convenient for a person with malicious intent than just going to a local playground or primary school.
I really dont understand this urge of blowing simple stories completely out of proportion by mentioning pedosexuals, muslims or the banking system.
Re: (Score:2)
Re: (Score:2)
I really dont understand this urge of blowing simple stories completely out of proportion by mentioning pedosexuals, muslims or the banking system.
Me neither.
If you're going to blow simple stories completely out of proportion, you'd be better off mentioning pedosexuals, Muslims *and* the banking system all at the same time! Do it right, people.
Re: (Score:2)
Recognized location would mean a place the pedo visits already.
Re: (Score:2)
A) You've been to the Statue of Liberty, the Eiffel Tower, the Great Wall of China, and the moon.
B) You've never heard of any of the above.
C) You can recognize locations you don't visit.
One of these options is aligned with reality. See if you can figure out which.
That'd be A) , I'm fuckin' Buzz Aldrin, beeotches!!!!
Re: (Score:3, Insightful)
The frame would have switched back to the activation screen again. The owner would've scratched his head, shrugged, followed the activation instructions and re-upped his photos, innocent to the dark forces swirling beneath the surface of his friendly-looking gadgets.
Competition: (Score:2)
Re: (Score:2)
all your pix are belong to us
Re: (Score:2)
Looks like the guy who broke the story [seattlewireless.net] has been visited by the frame-fairy [framechannel.com].
Re: (Score:2)
so now we know the main plot point (Score:4, Funny)
for "the ring ii"
Luckily... (Score:4, Interesting)
Sarcasm aside, how could they possibly have thought that this was a good idea? Nobody expects Joe Consumer to remember something as hostile as a MAC address, so there isn't a "user convenience" argument to be made, and anything with enough processor power and mass storage to run these sorts of web functions could have gotten away with cramming in an onboard GUID or some certs or something. WTF?
Re: (Score:2)
It's pretty obvious, they printed the MAC on the device, and were looking for a unique code to use for the password that wasn't the serial number.
I'm hoping I can hack my HP photo frame, it's got USB2, CF, and SD! It plays fullscreen video very nicely (I transcoded a DVD to it with ogmrip) and I would guess it's got some cojones.
cue ... (Score:2, Insightful)
How many people will get their brand new frame... (Score:5, Insightful)
Re:How many people will get their brand new frame. (Score:2)
"How many people will get their brand new frame home, plug it in and find that it displays a "preloaded" goatse"
I now have a gift idea my friends will remember.
Re: (Score:2)
I felt a great disturbance in the Force. As if millions of eyes all cried out in terror, and were suddenly blinded.
Re: (Score:2)
Well... (Score:3, Interesting)
It seems you get an RSS feed with an activation code no matter what you enter for the frameid (it doesn't even seem to have to be a valid MAC address) so it seems they're not filtering on the server for addresses that actually belong to frames
Re:Well... (Score:5, Interesting)
Even more interesting, using an id of "'" (an apstrophe) gets you some sort of default channel with some rather nice pictures. They even change them after some time.
http://rss.framechannel.com//productId=KD9371/frameId=' [framechannel.com]
I wonder what's happening behind curtains.
Re: (Score:2)
Considering that the activation code has 5 alphabetic characters, I'd guess the process works something like:
Frame requests a page based on its MAC
Server has no record, so it generates a new feed, creates a (random?) activation code, and logs this in its database
User sees the message, enters the activation code online, which is retrieved from the db.
5 digits doesn't give many options. What happens if they all get used up when people start scanning and generating fake IDs? Will the database just fall over,
Re: (Score:2)
I meant what was going on with the apostrophe business.
What sort of logic would get the default feed.
(I was honestly expecting a database error....)
Re: (Score:2)
5 digits doesn't give many options.
It's 5 alphanumeric chars, so that's around 60m combinations. A limit of 60m activations in-flight at any one time seems reasonable to me.
Re: (Score:2)
Ahh, you right - the few I tried all seemed to be alphabetic only, which would've rather limited the pool
Re: (Score:2, Funny)
I wonder what's happening behind curtains.
Screaming. Finger pointing, witch-hunts and frantic resume polishing. The usual.
Pictures of dicks (Score:3, Funny)
The sad thing is... (Score:5, Insightful)
Let's get it on... (Score:2, Funny)
http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:8a [framechannel.com]
Not difficult to track down actual users (Score:3, Interesting)
1. Play with the MAC address to find a live frame. It took me 4 tries.
2. Scroll down and see if one of their images is the weather forecast, complete with the city and state for the forecast.
3. Now look at the userid. It likely contains a first initial and a last name.
4. City, state, last name, first initial -- that may very well be enough to get a street address.
5. Most people have pics of their family, including their kids. You've got a name, address, and photos of the fam.
It seems to me that goatse/tubgirl -ing these things is the only responsible thing to do. Sure, a few dozen (hundred?) people will have to gouge their eyes out, but it's a small sacrifice necessary to generate consumer push back on this kind of nonsense.
Re: (Score:2)
1. Drive down random street.
2. Stop outside random house.
3. Check inside mailbox - you now have name & address.
4. Hang around a bit on a weekend, you now have an actual family in front of you!
I'm all about protecting privacy, but the ability to get the name and address of a random person is hardly new. What's more dangerous (and I don't think is really possible here) is the ability to get the name and address of a _specific_ person. The security concern in this situation (AFAIC) is the ability for peopl
Re: (Score:2)
With respect, your scenario is extremely impractical. I can't think of a single benefit using a hacked Kodak frame would offer to the would-be pedophile.
Kodak frames exist across the country. The pedophile would have to hack random frames one by one and look at pictures to narrow pictures down to:
(a) a victim they like,
(b) that they can then verify actually lives in the house and isn't a grandparent's house or something,
(c) whose parents have put enough information on the frame to be identified and locat
Re:Not difficult to track down actual users (Score:4, Insightful)
Ah yes, the infamous false dichotomy. :) Because simply putting a "Your Photo Frame Has Been Hacked" message just wouldn't do. Only hard-core porn is appropriate.
Re: (Score:2)
Actually, yeah. American consumers do pretty much need that kind of a kick in the balls before they'll take action.
Re: (Score:2)
A picture of Goatse is hardly necessary.
Just a picture with the text "This device is insecure. Your photographs are available online at [rss address]. For more information, see [news site]" would be fine.
Re: (Score:2)
"This device is insecure" is too weak. "YOU'VE BEEN HACKED" in big red letters with further details below is the way to go. Eye-catching, and likely to get a response, especially if there's a number to call--keep in mind that most people are more comfortable with phones than the internets.
Putting goatse on there is irresponsible and unhelpful, especially in cases where the person who set up the channel is not the person displaying the frame (think grandma). Don't try to dress up your lulz as something th
Doesn't surprise me (Score:3, Interesting)
Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.
I mean, who lets the frame go on the internet and builds in a timer for when to turn the frame off and on at night...but then when it comes back on it ONLY goes to its own internal memory and NOT the last gallery you were viewing via the WiFi?? Every morning you have to reconnect it to the internet galleries...and its ability to cache the pics from the internet is so poor that it will often claim it has an "error" and...REVERT BACK TO INTERNAL MEMORY! It's next to impossible to use it to view galleries on the internet...that can ONLY be on their website...AND that they're now CHARGING you to keep "active"!
So, no, it doesn't surprise me at all that they could screw even this basic security up.
Re: (Score:3, Insightful)
Given how rudimentary and just plain awful Kodak's interface was for their WiFi picture frames from 2 years ago when I bought a few for the family to share the same albums with each other across the nation, this story doesn't surprise me in the least.
I've noticed that problem is nearly universal across the entire pic frame marketplace. I swear the manufacturers are trying to kill the marketplace by intentionally making frame with horrific UIs.
Why can't I buy a frame that simply displays a .RSS on the internet? Not a monthly pay service. Not some 3rd party that'll probably be out of business before the batteries die. Not some special format only. Just freaking show me the pix. And please no BS about processing power as everyone knows a 8 MHz XT in
Re: (Score:2)
Re:Doesn't surprise me (Score:5, Insightful)
"Why can't I buy a frame that simply displays a URL?" .RSS on the internet? Not a monthly pay service."
"Why can't I buy a frame that simply watches for a specific browsable SMB share and directory, and every time it appears on the network, sync to the local copy, plus sync every 15 minutes thereafter?"
"Why can't I buy a frame that simply displays a
Because then how can the manufacturer of the frame monitize you from a worthless waste of baryonic matter into a shining revenue stream? You forget your place, consumer: you are to consume product and crap cash on demand, month in, month out. Now get to work!
Re: (Score:3, Informative)
Why can't I buy a frame that simply displays a .RSS on the internet? [snip etc etc etc ]
You want a Chumby [chumby.com]. Mine does all that, and you can SSH into it.
Re: (Score:2)
Re: (Score:2)
Hah, but you sort of can: set up your own DNS server on your router, resolve the server's name to your own server, and give it whatever feed you want. :)
OK that's more steps than "buy a frame that simply displays a .RSS on the internet", but... it would be a neat hack.
Looks like you can also reset accounts..... (Score:5, Interesting)
I was checking some of the links and noticed a few interesting parameters
http://www.framechannel.com/feeds/pair/index.php/r=1/frameModelCode=KD9372/frameModelId=1/frameId=PAPAPA/reset=0/language=en/7072.jpg [framechannel.com]
See that parameter named reset? I activated an account and verified it as activating. Then I triggered that reset parameter to 1 and it went back to the pre-activation state!
Re:Looks like you can also reset accounts..... (Score:4, Interesting)
Ok, now it's nasty - until now you could randomly initialise an inactive (possibly never real in the first place) account. Now it seems to can find the real accounts, and reset them into nastyness.
Massive product recall ahoy
Re: (Score:2)
Yep, verified.
Mod parent up - as someone else said, this enables a whole new level of nastiness.
Re: (Score:2)
They really need to take this site down now.
From your mouth to the framemedia's ears:
"We are unable to activate your frame at this time. Please email support@framemedia.com for help resolving this issue."
Re:Looks like you can also reset accounts..... (Score:5, Funny)
Re: (Score:2)
"That would probably send some paranoid folks nucular." ...or give the White House some new ideas. Thanks a bunch.
Re: (Score:2)
So, a script that changes the content for a video of Obama looking around the room for a few seconds at a random time every few days and then restores the original content. That would probably send some paranoid folks nucular.
*Smoke*
*Smoke*
Are you smoking yet?
New Name for company (or device) (Score:2)
Serves them right (Score:2)
They deserve this for gutting their engineering operations in Rochester. This is what you get when you farm out your product design to the lowest bidder in a far off land.
Simple reason WHY they did it... (Score:4, Insightful)
Its sloppy to do, but here's why they did it....
Each device needs a unique serial number, something to identify it. But at the same time, they didn't want to customize the firmware for each device to include a serial number.
So instead, some brilliant programmer observed that the embedded processor can get the MAC address from the NIC and use that as a serial number for accessing the web page.
This is an old and useful trick, but the only problem is although it gives you a unique serial number per device, it gives you a predictable serial number per device and because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number. Ooops.
Re: (Score:2)
because of the nature of the back-end service, they didn't just need a UNIQUE serial number, but also an UNPREDICTABLE serial number
Looks like the device also has a username ... A pity they didn't concatenate the username with the MAC and then MD5 hash it. That would be quite unpredictable, although there is no longer a guarantee of uniqueness (although collisions would be 'kind of rare')
Family Photos abound (Score:2, Interesting)
Someone recently graduated, and really likes hot air balloons [framechannel.com]
many random -- changed twice while posting this [framechannel.com]
Nice travel photography [framechannel.com]
Meh. [framechannel.com]
VERY NSFW - I'd hate to be the one who got this frame for grandma! [framechannel.com]
Stunning photography, too good to be theirs... damned image pirates [framechannel.com]
Cute kid; mom needs to wear sunblock [framechannel.com]
Cute baby pics [framechannel.com]
Wow. it's amazing what I'll do when bored, while WoW servers are down for patching.
Re: (Score:2)
"Easyshare" - no kidding. (Score:2)
Thank goodness that's all solved now!
Unique IDs are there, but unused (Score:2)
FrameChannel has already made a change (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
That is the upper management, board of directors, and board of advisors for the company behind this mess(yes, Virginia, this isn't just Kodak, this is a company whose core business is "connected screens"). Take a bow, guys, take a bow.
Re: (Score:2)
My brain rebels at trying to actually read that paragraph.
Thinking Screen Media, Inc. (formerly Frame Media, Inc.) is the leader in content delivery to connected screens worldwide. Founded in 2007, Thinking Screen enhances the value proposition of connected screens...
...and I just stop. I have to, or I'll black out from the stupidity. "Enhances the value proposition"... gah!
Even when I force myself (with some considerable effort) to read the entire thing, that's got to be one of the most empty bits of marketing fluff I've ever seen.
Re: (Score:2)
99.9% of people don't know how to do the simple URL-based thing we're doing here, either.
--- Mr. DOS
Kodak frantically deleting/resetting feeds (Score:2)
This one is long gone, as are the other two featuring nudity.
Ok, people, prove the old adage. If it's uploaded to the Internet, it's there forever. I expect links to a picture sharing site (that allows explicit pictures) before the day is out, with corroborating posts from those who saw them.
Aka pics or it didn't happen. :)