Kodak Easyshare Wireless Picture Frame - How to show everyone whats on your frame

I recently purchased a Kodak Easyshare Wireless Digital Picture Frame off woot for an amazing price of $49.99. Infact, I bought two. The model number is W820, which is an 8″ frame, but there is also a 10 inch version as well. These picture frames have built in WiFi and can grab content off the internet.

The most exciting part about this picture frame has nothing to do with putting an SD card full of baby pictures, and everything to do with adding fun widgets to your photo roll! Facebook status updates, facebook photos, tweets, news, weather, live sports scores, flickr accounts, and the ability to have it make use nearly any RSS feed. Oh, and it shows baby pictures too I guess in the mix, if thats what you want.

The widgets are powered by FrameChannel, which is a sort of third party service that provides this functionality to Kodak picture frames everywhere. You setup an account with a special secret code that is shown on your picture frame (which nobody is supposed to have access to, otherwise they could load content on your frame before you even take it out of the box), and then you are off to widget building land where you can construct a slideshow based on time of day and frequency of display.

However, deep on the website i noticed this little innocent piece of information:

Advanced Settings

Advanced Settings

What’s this at the bottom? Some strange little RSS URL?

Well, lets just plug it in and see what happens:

http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6D

Look, its an RSS feed of what my picture frame is showing now! I can send this nice URL to everyone I know so they can look at all my private content I have configured for this device. Now, under no circumstances would I recommend changing the last digits of this MAC address frame ID to another number….because you would get someone else’s picture frame content. Why would you want to do that?

UPDATE: 1/6/2010 It is quite apparent that FrameChannel is no longer interested in providing the public RSS feature to its customers. As other people have indicated, the RSS URL has been removed from the user interface. In addition, they are filtering by User-Agent. I am sure that will put an end to sharing of my RSS feed of my frame because User-Agents are impossible to fake. No word if they intend to update firmware for the “AVOS/1.1″-based device.

Slashdot has coined this feature documented on the web interface a “major privacy/security issue” and some discussion has ensued on the forum: http://yro.slashdot.org/story/10/01/05/0413228/Kodak-Wireless-Picture-Frames-Open-To-Public.

UPDATE: 6/21/2011 Regretfully, FrameChannel has informed its users that their year old WiFi internet-connected picture frame is now completely obsolete. With all these initiatives of putting everything in the cloud, I am sure we will see more of this crap.

Yeah, ‘due to the economy’, I may not be able to afford to store the kilobytes this blog post contains much longer. Maybe their economic challenges rest in the fact that there was no business model to begin with.

83 Responses to “Kodak Easyshare Wireless Picture Frame - How to show everyone whats on your frame”

  1. minime says:

    someone with a frame, please post the whole GET request so we can all do some tests

  2. minime says:

    I just set my user agent to “AVOS/1.1″ ….

  3. m8 says:

    JohnH and Jason! are both almost certainly correct. Anyone have a pcap to share with the class?

  4. m8 says:

    JohnH and Jason! are almost certainly right. Anyone have a pcap to share with the class?

  5. Zeridon says:

    More interesting is the content of the feed (the text part) quite some interesting stuff there too

  6. JG says:

    While they all say “forbidden” now, one might wonder if this is simply an exclusion based on browser type. Anyone know what browser string is used by these picture frames?

  7. Christian Buchner says:

    So what is the user-agent string of an EasyShare frame?

  8. ben says:

    you can still get to the content in a feed viewer. Not sure what electronbee is talking about.

  9. Foo says:

    Can someone post a full HTTP request?
    Would be nice to see the HTTP headers, especially the User-Agent field ;)

  10. [...] frame hack If you know the MAC address of a Kodak Easyshare wireless digital picture frame, you can own it remotely. Adds JWZ: “Kodak has built an appliance for letting complete strangers browse your family [...]

  11. Well, they are showing now as 403 forbiden. However, that is based on model. Change the model number in the URL so something else such as KD9372

    http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6E

    No idea if that is a valid model, but seems like a knee jerk reaction to address the issue, that would appear to break a whole lot of frames.

  12. Jeremy Wilson says:

    All they’ve done is restrict the User-Agent. Try this:

    wget -U “AVOS/1.1 lib” -O test.rss http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6D

  13. Gresrun says:

    Here’s a User-Agent that works, courtesy of http://jwz.livejournal.com/1149586.html:

    AVOS/1.1 lib

  14. Jason! says:

    The odds, apparently, are quite good.

    http://jwz.livejournal.com/1149586.html?thread=21299858#t21299858

    I could confirm that this works with the user-agent switcher plugin in Firefox; but that would imply some sort of malfeasance.

  15. yeah says:

    they could only be filtering on user agent, looking at the manuals there is no way for a user/pass to be entered on the frame itself, just on the desktop software. i wonder if their jpeg display implementation is susceptible to code execution bugs via java or flash? i would not be surprised.

  16. flamechannel user says:

    From Framechannel’s web site:

    >Emailed photos are set to default to inactive until you approve them. Go to My Account and click on the last tab, “Email and camera phone settings” make sure your Allow settings is set to either All email to username@framesend.com or Only those I have invited/accepted as friends to send pictures. Your “By default, emailed photos are” should be set to either Active or Active for all invited users, inactive otherwise. If images weren’t set to default as active you will have to manually check them off to activate them.

    So you can snoop on someone else’s photo stream, but the user has to do the usual stupid to allow you to stream p0rn among the photos of his kids.

  17. chris says:

    Still working for me as at 9.21pm South African time (6th Jan)

  18. BCAmes says:

    FrameChannel already has an alternative more secure way to specify the RSS feed, which is http://rss.framechannel.com/user=Username/PIN=nnnn. This method was already used by some other brands of frames, and it also works just fine on the Kodak frames if you enter it as a Photo RSS url. You can also plug it in to your browser or share it with others if you want without problems. You can change your PIN number in the online settings at FrameChannel.

  19. Jono says:

    Wow, they’ve made it much more secure now. They check for the full user-agent of:

    AVOS/1.1 libhttp/1.1

    No-one will ever spoof that.

  20. PaPPy says:

    It seems the user agent doesnt work again

  21. [...] Did you know that with maybe five minutes of work, you can hack into your friend’s Kodak Easyshare Wireless Picture Frame? If you’re wondering why you would [...]

  22. goatse now says:

    So this has been around for several days abd nobody has wriiten a script to find all unactivated frames and pre-load their feed with the complete goatse image set? I’m disappointed, the Internet just isn’t waht it used to be…

  23. Alex says:

    AVOS 1.1/libhttpclient

    (Try product ID KD7932 as well)

  24. [...] big fat security vulnerability. [Casey] figured out that the Kodak W820 WiFi capable digital frame can be hijacked for dubious purposes. The frame can add Internet content as widgets; things like Facebook status, tweets, and pictures. [...]

  25. Giorgio says:

    $50 is really cheap. Where did you get it for that price?

  26. jeicrash says:

    I imagine that even if they secure it completely, a man in the middle attack using ettercap to replace images with your own would still be very fun. or replace the entire rss feed with a new one. Too bad I can not afford one of these right now.

  27. PaPPy says:

    broke again

  28. MB says:

    Does anyone know the status of this security breach?

  29. [...] got me thinking was a (not so recent) post discussing security, or lack thereof, of Kodak wireless picture frames. Until then, I didn’t [...]

  30. Nick G says:

    Keep in mind that this also only works on the people who are actually using the Framechannel service. I have one of these and I simply stream an RSS feed of my photos from a local web server.

  31. Jodaqifo says:

    Kodak Easyshare Wireless Picture Frame - How to show everyone whats on your frame « Casey Halverson…

    фотокамеры One Touch Zoom 90

  32. [...] email and manual photo upload service from which the devices streamed (myframechannel.com) closed. Aparently due to “economy” quotes one blogger. I got to be honest, I haven’t used the damn thing in over a year, but [...]

Leave a Reply