Eye-fi is a new memory card for digital cameras that uses wireless internet to upload photos directly from your camera. The user sets up to 32 preferred wireless networks and upload destinations to initialize the memory card. There are multiple variations of the card with different memory limits. The card also allows for the "endless memory option" where the oldest information is uploaded and deleted as the card fills - therefore giving off the idea of being an endless supply of memory. The card is compatible with almost any digital cameras from any company, and can upload to any type of portal from email to facebook to flicker, to iphoto etc.
As an owner of such technology I would want to ensure that my pictures and other media stored on this device are only being uploaded to my specified locations on my specified networks. I would also want to make sure that I am aware of when these uploads are occurring and what is being removed from the device when the upload occurs. I would also want to make sure that if I have chosen to upload directly to a public networking site, that I have control over which pictures are automatically uploaded and which are kept for personal use. There is also the idea of knowing if an upload fails that I do not lose any of my media. Lastly, I would want to also have the option of uploading directly to my computer via some other technology than wireless networks if I am in an unsecured location.
As a hacker I would be looking to exploit the use of wireless networks as a means to usurp media from one of these cards. This could be anything from capturing the upload as it is in progress to retain the media rather than the user or deleting the media without consent of the user. I would look to possible delete data or disable an upload as it occurs, possibly confusing the system into removing the media without proper back up support. I would also potentially look to disable or circumvent personalized settings to either upload to a different portal (ie facebook instead of iphoto) or even circumvent security measures as to which photos/videos get uploaded with or without owners consent.
Some of the vulnerabilities that exist is the reliance of this device on wireless networks. Though many now are secure, older networks are not as protected as they could be. This could allow hackers easy access to disrupting or intercepting uploads. It could also allow hackers to penetrate the Eye-fi's settings and alter them for their personal benefit. Eye-fi has also had problems with failed uploads. Normally uploads are backed up with something called, "Relayed photos" which are photos/ videos that get stored on Eye-fi servers in case of failure or extended Endless Memory issues. If these servers are not securely protected, then hackers could potential enter them stealing media from all Eye-fi users. Lastly, the vulnerability also exists with this being a new technology. As this is the first of its kind, the bugs and issues are coming up while it is in its early life cycle stages. Though Eye-fi has had one of the fastest turn around times with patches for known problems, it is still in the infant stages looking to grow.
Though wireless networks are becoming more and more secure, there is still and always will be the potential hacker looking to exploit a vulnerability. The dependence on wireless networks by eye-fi will always be a risk that the device relies heavily on. The device also relies on users having the ability to set their personal settings and controls on the device. Many users do not realize either how to do this or even how to set limitations on the networks they allow their Eye-fi to operate on. There is always room for human error. Another inherent risk is the risk of media loss. Though Eye-fi has put in place many back up systems, there are risks from nature or unforeseen accidents that could pose threats to the servers, data center, or even the transfer of data from the device to the suggested portal.
In order to mitigate risks, I would first always alert users to use protected networks and to manage their personal settings. There is a need for the user to understand that their media has the possibility of being intercepted if using an un-secure connection. I would also require passwords for any change to personal settings, beyond the passwords required of the different upload portals. This could help in authenticating users. There should also be a survey of risks to servers and data centers from threats such as mother nature, to begin discussion on further backup procedures. As Eye-fi gains market share in the memory card industry there will be more and more exploited holes in their system, as long as Eye-fi continues its quick patch fixes to problems I believe it will begin to become an even more sought after good.
http://www.eye.fi/
Thursday, November 11, 2010
Subscribe to:
Post Comments (Atom)
Posts
Thank you for the writeup. My name is Ziv, and I'm one of the co-founders. I'm not one of the technical co-founders (I do sales and biz dev), but I'd like add and correct a few points:
ReplyDelete* When you're behind a secured network (WEP, WPA, WPA2), the transmission is secured from your home, to our servers.
* When you upload to your PC only, and you're on the same LAN segment, the uploads never reach our servers
* When you upload from an open hotspot, we secure the connection, between the card, and our servers. This is done to prevent from hackers, intercepting the transmission
* Relayed uploads actually means the following -- if you choose to upload to a sharing site, your photos are always relayed through our servers. In that case, Relayed is turned on, and can't be turned off. If you choose to upload to your PC only, you have the option to turn Relayed on or off. If you leave it on, and you're at school, or on another network (even an open hotspot), your media will go through our servers, to your PC back at the dorm. If you turn Relayed uploads OFF, the uploads will never take place until you come back to the same LAN segment as your PC/Mac.
* take a look at our homepage's bottom right corner -- we've had 100MM photos, roughly, upload from Eye-Fi cards. We haven't had any security issues :-)
Thx --
Ziv.
I've always wondered how those Eye-Fi cards work. The idea of not having to connect your camera and not needing to worry about the amount of space on your SD card is certainly appealing and takes advantage of the cloud computing trend.
ReplyDeleteOne possible solution that perhaps future iterations of the Eye-Fi card could use to avoid the use of unsecured or WEP wireless networks is to make the compatible with mobile networks, allowing uploads via the Verizon, Sprint, or AT&T networks for example. This would allow uploads from almost anywhere and would be a potentially more secure connection since it would be a dedicated connection to the Internet rather than moving through someone else's local network first. Of course the disadvantage for this would be the associated data costs for the end user, perhaps paid based on per-megabyte usage or a monthly plan. Additionally, the technology is not quite there yet to be able to integrate CDMA/GSM antennae into something the size of an SD card. GSM networks would also need a SIM card that would likely take up most of the physical space of an SD card.
I agree that this system is definitely in its early stages and that many vulnerabilities will arise as it gets older. Although I rarely post pictures online to Facebook or any other type of media, I would not feel secure posting them wirelessly. I would want them to be uploaded through a secure connection between the camera and the computer. I know there are many settings that people have when they upload pictures to facebook, would they still get to use these settings or does Eye-fi just do automatic settings and then the user later has to go on their computer and change who they want to tag and who they want to be able to see their pictures. I would definitely make sure my settings are set up correctly before using Eye-fi, just in case there is something I wouldn't want everyone to see.
ReplyDeleteNext I would be concerned about what networks I am using because I know that some computers will automatically detect a new wifi location and connect to it if it is not password protected. I do not like this Eye-fi thing. It seems to me like it is just an unnecessary peice of hardward to make money. I don't know why people need to upload their pictures as soon as they are taken but I guess that is just the way some people are.
While reading this I thought of a few different things. First of all, I was just thinking about how technical the world is becoming without the human knowledge catching up to it. To many people, this idea is just convenient. They simply think, Wow this makes my life easier. They do not, however, notice the risks that are involved. The technology is still new, and there is room for problems. Many people using the device won't have any idea about security measures to take. Education is the biggest thing with any new technology like that. People who will use it must know about the risks and how they can protect themselves from the risks.
ReplyDeleteMy second thought involves the conversation we had on election hacking in class the other day. I was thinking about how bad it would be if some personal photos of a candidate became public. I am sure everyone has bad picture of themselves that they would rather not have spread throughout the world. Technologies like this, even more that facebook or flickr, are prone to this. In those sites a person must have an account to be hacked in to. If this becomes popular, anyone with a camera is a target. An election could be lost if the wrong photo of a candidate got out.
I think this is definitely an interesting idea, especially in an age when it is more popular to look at pictures on a computer than on paper. While I also believe there are flaws it is possible to be safe. I believe that information and education are most important in helping users to protect themselves. I'm interested to see if this technology becomes popular.