Tuesday, January 5, 2010

We don't need no stinking security in our digital photo frames

Update (Jan 6, 2010): Looks like FrameChannel is doing something to block access to known URLs. It could be something as simple as user-agent checking, but at least it is a start.

2010's first security vulnerability (that I know of) is a doozy. But before getting into that, lets take a peek into the design meeting that resulted in it.

Person 1: Lets see.. how would each customer identify the product for activation?
Person 2: We will stick a random code on each package
Big boss: No, that is too much work
Person 3: You know, each device already has an unique identifier. This MAC address...
Person 2: Shouldn't it be random? Should we talk to the security guys?
Big Boss: Awesome. Why would a photo frame need security? This MAC thingy sure looks very unfriendly, so lets label it as a user-convenience feature. While you guys do that, I will go tell my boss I came up with the idea.

This not-so-unlikely scenario is brought to you courtesy of an excellent blog post by Casey Halverson, owner of two W820 Kodak digital picture frames.

Knowing that the frames can display pretty much any RSS feed, Mr. Halvereson discovered that the configuration screen shows a URL for the RSS feed that ends in what looks suspiciously like a MAC address, because, you guessed it--it IS a MAC address. (The link below is not clickable by choice--we don't know what will be there if you visit it)

Look, its an RSS feed of what my picture frame is showing now! I can send this nice URL to everyone I know so they can look at all my private content I have configured for this device. Now, under no circumstances would I recommend changing the last digits of this MAC address frame ID to another number….because you would get someone else’s picture frame content. Why would you want to do that?

If you don't know how MAC addresses are assigned and numbered, here is a quick introduction. The first 6 hexadecimal digits (in this case, 00:23:4D) designate the manufacturer of the network card, and the remaining 6 hexadecimal digits identify a serial number assigned by the manufacturer.

So if you are looking at a Kodak photoframe, who does not make network chips, it is a pretty safe bet that they buy the chip from someone else (or their outsourced manufacturer does, but same effect). It is also a near certainty that because of economies of scale, these chips will be bought from the same company. What I am leading up to is, this means virtually ALL Kodak wireless frames will have the same first 6 digits, making the remaining address-space any number from 00:00:00 to FF:FF:FF -- a total of slightly over 16 million possible numbers: trivial for a computer to generate and check. 00:23:4D:B8:07:6D is manufactured by Hon Hai Precision Ind. Co., Ltd. Obviously, all their cards will not be used on the Kodak frames. But now that we know the name of the manufacturer, a bad guy can go and find other prefixes assigned to them, and expand the search.

The frames, by the way, can not pull down RSS feeds on their own. The feeds need to be managed through a company called FrameChannel, which, as the name indicates, is in the business of creating channels for picture frames. They very conveniently list a number of frame manufacturers they support.

Could they all be vulnerable to the same attack?

They also are saying that Woot sold 100,000 Kodak frames on Dec 20, the first day they went on the market. Given the other manufacturers, the problem-size could be more than a million vulnerable frames out there.

In their FAQ, they answered (as of this writing; I expect this to change soon):
Who can see the pictures in my account?

Unless you add pictures to a public or group channel, or share them with your invited friends, you are the only one who will see images in your account. No other FrameChannel user will ever see images you upload or add to your account unless specifically approved by you (such as in the case of a public user generated or group channel, or as a contributor to your friends' accounts). (emphasis mine)


Someone could point all the unsold/unactivated frames to pornography, or other objectionable or even illegal content like child pornography. So if you have one of these frames, what should you do? Don't feel safe because you only have nature photos. If you have the Weather channel configured, a remote viewer may be able to figure out your city and state. If your userid contains your name in some form, they may be able to narrow it down much further.

In the configuration screen, there is a URL parameter called reset=0. Any guesses as to what reset=1 will do? Yes, it gives a new activation code, and I presume it deactivates the old code. Seems like this can be used to kill feeds to a frame.

The next one is a bit more serious. One report says they saw something like:
“This frame has been preactivated” and gave the username and password and invited the user to login to framechannel.com to upload their own content.
 As long as you treat this frame as something viewable by the whole world, then you are fine.

Should you return the product? Your choice. But if you want to keep it, definitely contact the manufacturer and FrameChannel, and ask them to fix this issue.

Postscript: The bad guys can point these frames to a photostream of their choice before they are activated by the actual owner. Equally easily, the good guys can load up an image containing an warning about this risk to these frames, but they will not, because that will mean breaking more than one law. So if you know anyone with one of these frames, also tell them about this.

Rant:I don't understand why the manufacturers decided to go with a 3rd party which may go out of business (a distinct possibility given this mess) instead of just allowing any random RSS feed. It is not like this 3rd party is hosting my images or creating the RSS feed any way. So why shouldn't consumers be able to use a RSS feed directly?

Update: David Stafford asked below if an already activated and used frame can be compromised. The answer is, I think so, although I have not personally tested it yet.
The known/confirmed risks are:
- Someone may be able to view private images- Someone may be able to glean private information from the images or other channels being displayed

Unconfirmed: The major risk (remote image upload) might be possible because FrameChannel lets people who knows/guesses the frameid (the MAC address) to reset the frame. The aforementioned reset=0, when changed to reset=1, will do this. I am not posting the actual URL, but it is by now widely available on the Net.

After a frame activation is reset and re-activated, I believe at least on the Kodak model it can be done.(waiting for confirmation)

For users on unencrypted (or 40-bit WEP encrypted) WiFi, an attacker who is within the WiFi range will be able to capture the PIN, but that is true about any wireless technology and not particular to this issue


David Stafford said...

As someone that gave this frame as a gift, I understand that the rss feed is publicly viewable. (Which doesn't bother me since the pictures being displayed are public on Flickr anyhow)

What I'm not clear on his how the RSS feed URL can be used to 'manage' the device's photo subscriptions. - Could you please expand ?