{"id":1280,"date":"2009-03-13T21:15:15","date_gmt":"2009-03-14T05:15:15","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=1280"},"modified":"2009-03-13T21:16:08","modified_gmt":"2009-03-14T05:16:08","slug":"security-review-eye-fi","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-eye-fi\/","title":{"rendered":"Security Review: Eye-Fi"},"content":{"rendered":"<p><a href=\"http:\/\/www.eye.fi\/\" target=\"_blank\">Eye-Fi<\/a><\/p>\n<p>&#8220;The Eye-Fi Card stores photos &amp; videos like a normal memory card. When you turn your camera on within range of a configured Wi-Fi network, it wirelessly transfers your photos &amp; videos. To your computer. Or to your favorite photo sharing web site. Or both.&#8221;<\/p>\n<p>The Eye-Fi card is an SD memory card used with cameras, capable of connecting to wi-fi networks and uploading to sharing sites like Flickr, Picasa, etc. \u00a0It&#8217;s also capable of specifying privacy levels for each upload. \u00a0All these configurations can be set using their software on a registered computer on the same network. \u00a0Photos can be uploaded as you take them as long as you are connected to the network.<\/p>\n<p>The assets include the card, photos, and the website account information\/access. \u00a0The card is expensive and can contain sensitive and private photos. \u00a0As mentioned, the photos being uploaded can be private. \u00a0The website account information\/access is also valuable because you don&#8217;t want your password and account compromised. \u00a0Knowing the password could compromise your accounts on other sites. \u00a0Also you don&#8217;t want unauthorized photos uploaded or unauthorized actions on your account.<\/p>\n<p>Adversaries may include anyone who is interested in potentially private photos and malicious adversaries who want to take control of or exploit your website accounts. \u00a0Adversaries could gain access to these assets through a number of ways. \u00a0Since the Eye-Fi card communicates via wireless, if the messages were unencrypted and the protocol reverse engineered, it&#8217;s conceivable that messages could be spoofed, tricking the configured computer on the network to conduct unauthorized actions like uploading different photos to the photo sharing website accounts. \u00a0Photos could also be intercepted through the network. \u00a0Also, depending on the protocol, if account information is being transmitted back and forth between the Eye-Fi card and the configured computer, these messages could be intercepted and account information such as passwords could be read. \u00a0The product description seemed to suggest that the card could be configured wirelessly. \u00a0If this were the case, then a malicious user could spoof the configuration messages and reconfigure the card.<\/p>\n<p>A good defense perhaps would be to require configuration of the card to happen only while the card if physically plugged into the configured computer. \u00a0At this point, the computer and the Eye-Fi card could easily exchange symmetric keys in order to encrypt exchanged messages. \u00a0This also prevents a malicious person from spoofing configuration messages. \u00a0The account information should be kept on the configured computer and shouldn&#8217;t be transmitted across the network. \u00a0Since I&#8217;m not familiar with the details of the protocol, it&#8217;s possible that Eye-Fi already employs some or all of these security measures.<\/p>\n<p>Requiring that the Eye-Fi card is physically connected to the configured computer is an extra inconvenience in order to enforce more security. \u00a0The entire idea behind the card is to make the photo uploading process easier and more convenient and enforcing this kind of security is likely not a priority. \u00a0Additionally, if the network you&#8217;re on is one you own and you already require a key to access the network, then Eye-Fi use is probably already secure from adversaries outside of your network.<\/p>\n<p>However, it&#8217;s interesting to consider that as technology evolves, wireless will become more and more commonplace, and companies will likely continue to push convenience as a priority. \u00a0And often this convenience will come with the cost of security. \u00a0As it is, wireless already has its fair share of security issues but hasn&#8217;t become a mainstream concern. \u00a0With more users using wireless and more assets becoming accessible via wireless, more and more adversaries may find it worth their while to exploit wifi weaknesses.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Eye-Fi &#8220;The Eye-Fi Card stores photos &amp; videos like a normal memory card. When you turn your camera on within range of a configured Wi-Fi network, it wirelessly transfers your photos &amp; videos. To your computer. Or to your favorite &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-eye-fi\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":102,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[202,203,205,204,206,14],"class_list":["post-1280","post","type-post","status-publish","format-standard","hentry","category-security-reviews","tag-eye-fi","tag-eyefi","tag-photos","tag-sd-card","tag-wifi","tag-wireless"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/102"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=1280"}],"version-history":[{"count":2,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1280\/revisions"}],"predecessor-version":[{"id":1282,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1280\/revisions\/1282"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=1280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=1280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=1280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}