Security Review: Eye-Fi
“The Eye-Fi Card stores photos & videos like a normal memory card. When you turn your camera on within range of a configured Wi-Fi network, it wirelessly transfers your photos & videos. To your computer. Or to your favorite photo sharing web site. Or both.”
The Eye-Fi card is an SD memory card used with cameras, capable of connecting to wi-fi networks and uploading to sharing sites like Flickr, Picasa, etc. It’s also capable of specifying privacy levels for each upload. All these configurations can be set using their software on a registered computer on the same network. Photos can be uploaded as you take them as long as you are connected to the network.
The assets include the card, photos, and the website account information/access. The card is expensive and can contain sensitive and private photos. As mentioned, the photos being uploaded can be private. The website account information/access is also valuable because you don’t want your password and account compromised. Knowing the password could compromise your accounts on other sites. Also you don’t want unauthorized photos uploaded or unauthorized actions on your account.
Adversaries may include anyone who is interested in potentially private photos and malicious adversaries who want to take control of or exploit your website accounts. Adversaries could gain access to these assets through a number of ways. Since the Eye-Fi card communicates via wireless, if the messages were unencrypted and the protocol reverse engineered, it’s conceivable that messages could be spoofed, tricking the configured computer on the network to conduct unauthorized actions like uploading different photos to the photo sharing website accounts. Photos could also be intercepted through the network. Also, depending on the protocol, if account information is being transmitted back and forth between the Eye-Fi card and the configured computer, these messages could be intercepted and account information such as passwords could be read. The product description seemed to suggest that the card could be configured wirelessly. If this were the case, then a malicious user could spoof the configuration messages and reconfigure the card.
A good defense perhaps would be to require configuration of the card to happen only while the card if physically plugged into the configured computer. At this point, the computer and the Eye-Fi card could easily exchange symmetric keys in order to encrypt exchanged messages. This also prevents a malicious person from spoofing configuration messages. The account information should be kept on the configured computer and shouldn’t be transmitted across the network. Since I’m not familiar with the details of the protocol, it’s possible that Eye-Fi already employs some or all of these security measures.
Requiring that the Eye-Fi card is physically connected to the configured computer is an extra inconvenience in order to enforce more security. The entire idea behind the card is to make the photo uploading process easier and more convenient and enforcing this kind of security is likely not a priority. Additionally, if the network you’re on is one you own and you already require a key to access the network, then Eye-Fi use is probably already secure from adversaries outside of your network.
However, it’s interesting to consider that as technology evolves, wireless will become more and more commonplace, and companies will likely continue to push convenience as a priority. And often this convenience will come with the cost of security. As it is, wireless already has its fair share of security issues but hasn’t become a mainstream concern. With more users using wireless and more assets becoming accessible via wireless, more and more adversaries may find it worth their while to exploit wifi weaknesses.