You are here

Security Through Obscurity

Kodak is offering the Easyshare Wireless Picture Frame, which uses a wireless Internet connection to select and display its content.

According to a blog post by Casey Halverson, the wireless picture frame contents comes from a findable URL. It wouldn't take a lot of technology to build software to search for the contents of other random picture frames.

This poses an interesting question: when is Security Through Obscurity (STO) good enough to protect privacy? This is one of those technical weaknesses that professionals like to talk about, but lots of people won't understand. This can play out in one of several ways:

  • The product becomes popular, and it takes years for the security problems to bother the user community. This is what happened with analog cell phones.
  • The product's security problems become an issue that interferes with its marketplace success. This is what happened with early Web sites. Netscape solved the problem by introducing SSL encryption.
  • The product fails for other reasons.

Many people rely on Security Through Obscurity to protect private things. Some friends used to keep a family web site whose access depended on answering several questions that only family members (or close friends) might know.

So what is the vulnerability? The Kodak frame uses an RSS URL maintained by FrameChannel, an on-line service. The URL contains 3 parts:

  • the domain name,
  • the product code (same for each Kodak frame) and
  • the numeric MAC address of the frame's 802.11 interface.
It's entirely practical to build software to search that MAC address range for feeds. FrameChannel should be able to detect such behavior on their server, but it requires special programming in their server software.

Another alternative would be to assign a longer and more random URL to the individual devices. This would make manufacturing a bit more complicated: the customer needs an easy way to hook the frame up to the FrameChannel service, and many will balk at typing a huge string of textual gibberish.

Meanwhile, it will be interesting to see how such products fare in the marketplace. On one hand I hope it succeeds. On the other, I worry about eroding privacy. If I owned one, I would probably restrict the feed to stuff I might post in public anyway.

An older vulnerability

A few years back, people realized that many security cameras now publish their feeds via Internet connections. Typically, the company connects the cameras to their local network. To view a camera, you type in a peculiar URL. If the company has posted the URLs somewhere on their web site (for the convenience of the security people, for example) then Google might just be able to find those camera URLs, too.

Post category: 
Wordpress tag: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer