Earlier this year, Reddit users discovered a major vulnerability in the Insta360 camera software. In short, it allowed anyone to connect to any Insta360 camera and download the photos. Seven months later and much of the problem remains unresolved.
The feat revealed on Reddit
In January, Reddit user cmdr_sidhartagautama posted a detailed breakdown of a vulnerability he discovered in the Insta360 One X2 camera. He realized that, right out of the box, the camera would always transmit a Wi-Fi signal called “ONE X2 XXXXXX.OSC”, where the “X” represents the last characters of any camera’s serial number.
Anyone within range of the camera could discover this network on their laptop or smartphone, but they most likely didn’t care as it still required a password. But cmdr_sidhartagautama pointed out that the password for Insta360 cameras is not only always the same on all cameras, but also cannot be changed.
“This camera has more holes than Swiss cheese. Honestly, I don’t remember seeing a consumer product, with a range as big as Insta360, as insecure as this one. These are broken beginner CTF levels…and in multiple places,” she writes.
In that report, cmdr_sidhartagautama was able to connect to the camera and view all content using a computer browser and a specific URL. He also demonstrated the ability to gain root access to the camera over Wi-Fi.
“It would be trivial for a hacker to perform a drive-by attack on these cameras, injecting malware into the SD card which would then be read by your work/home computer…in fact, I’m pretty sure this could be a worm , using one camera to attack another in a cascading effect,” says cmdr_sidhartagautama.
Although the report is months old, the problem was brought to by petapixel It drew attention late last week when a new Reddit post noted that Insta360 had yet to fix the issue despite the company being told in January.
Insta360 says it’s working on it
petapixel contacted Insta360 for comment.
“In fact, we are aware of this and have been working on updating the firmware and the app over the past few months based on user feedback from our community,” says an Insta360 representative.
“Currently, list_directory has already been canceled and it is no longer possible to access the contents of the camera through the browser. We are also updating the app and firmware to allow users to change their own password to improve security. This change will be announced to users in the application/firmware release notes once implemented.
“We will make sure to follow up and implement the application/firmware update within a reasonable time frame.”
Firmware fix may not be enough
It would be helpful to be able to change the camera’s Wi-Fi name and password, but according to cmdr_sidhartagautama, it won’t completely fix the issues.
“Some users have suggested that simply putting in a user-chosen (or random) Wi-Fi password would fix the problem. It won’t,” they say.
“And the reason is that the API that the camera uses does not perform any authentication on the request, which means that any app installed on the device (including a malicious one that you don’t know is there to steal your videos/photos or install malware on the device). your SDCARD) you can make an HTTP request to the IP of the camera and access that API, if you are connected to the camera.”
Another Reddit user, bmajkii, agrees.
“I’m not quite sure why people are trivializing the issue both here and in the original thread. The flaws found are serious security risks. Any decent product company that takes security integrity into account would have fixes/mitigation plans in place even before you’ve seen such posts on Reddit (because they have the proper channels to report security vulnerabilities),” they write.
“The encrypted Wi-Fi password is just one of the problems. Even if you were allowed to change, you’d still be changing the password via some Bluetooth API/endpoint which is probably still vulnerable. From my perspective, running the telnet service (with easy root access) on production-grade firmware is a joke.”
Some argued that it was not possible for the cameras to connect to two devices simultaneously.
“To the people who say they can’t connect two devices to the camera simultaneously over Wi-Fi: You can and I just did,” writes bmajkii.
“Imagine you’re on vacation and wandering around the busy city center while shooting some footage through your camera (as far as I’ve checked, all ‘consumer’ cameras are vulnerable). All it takes for a potential attacker to infect your phone/PC with malware is to sit on a bench with a laptop and run some Python script and then try to open some file on the SD card that they thought was a video. you recorded.”
Image credits: Header photo by Ryan Mense for PetaPixel.