Insta360 camera vulnerability lets anyone download your photos
Earlier this year, a major vulnerability in Insta360 camera software was discovered by users on Reddit. In short, it allows anyone to connect to any Insta360 camera and upload the photos. Seven months later and much of the problem remains unresolved.
The exploit revealed on Reddit
In January, Reddit user cmdr_sidhartagautama posted a detailed breakdown of a vulnerability he discovered in the Insta360 One X2 camera. He realized that upon unboxing, the camera would still be broadcasting a Wi-Fi signal named “ONE X2 XXXXXX.OSC”, where the “X” stands for the last characters of any camera’s serial number.
Anyone within range of the camera could discover this network on their laptop or smartphone, but probably wasn’t affected because it still required a password. But cmdr_sidhartagautama pointed out that the password for Insta360 cameras is not only always the same on each camera, but also cannot be changed.
“This camera has more holes than Swiss cheese. Honestly, I can’t remember seeing a consumer product – with such a wide reach as Insta360 – as insecure as this. These are beginner CTF levels broken…and in multiple places,” he wrote.
In this report, cmdr_sidhartagautama was able to login to the camera and view all content using a computer browser and a specific URL. It also demonstrated the ability to gain root access to the camera over Wi-Fi.
“It would be trivial for a hacker to launch a drive-thru attack on these cameras, injecting malware into the SD card which would then be read by your work/home computer…in fact, I’m pretty sure it could being dewormed, using one camera to attack another in a cascading effect,” says cmdr_sidhartagautama.
Although the report is now several months old, the matter has been brought to PetaPixel Look out late last week when a new Reddit post noted that the issue had yet to be resolved by Insta360 despite being brought to the company’s attention in January.
Insta360 says it’s working on it
PetaPixel contacted Insta360 for comment.
“We are indeed aware of this and have been working on updating the firmware and app over the past few months based on user feedback from our community,” an Insta360 representative said.
“Currently, the list_directory has already been closed and it is no longer possible to access the camera content via the browser. We are also updating the application and firmware to allow users to modify their own password to improve security. This change will be announced to users in the app/firmware release notes once implemented.
“We will make sure to track and implement the app/firmware update within a reasonable timeframe.”
Firmware patch may not be enough
Being able to change the camera’s Wi-Fi name and password would be helpful, but according to cmdr_sidhartagautama, it won’t entirely solve the problems.
“Some users have suggested that simply putting in a user-chosen (or random) Wi-Fi password will fix the problem. It won’t,” they say.
“And the reason for that is that the API that the camera uses doesn’t do any authentication on request, which means any app installed on the device (including a rogue app that you don’t know is there to steal your videos/photos or install malware on your SDCARD) can send an HTTP request to the camera’s IP address and access this API, if you are connected to the camera.”
Another Redditor, bmajkii, agrees.
“I’m not sure why people are trivializing the issue both here and in the original thread. The flaws found pose serious security risks. Any decent product company that cares about security integrity would have put in place patches/mitigation plans before you’ve even seen such posts on Reddit (because they have proper channels to report security vulnerabilities),” they write.
“The hard-coded Wi-Fi password is just one of the problems. Even if he were allowed to change it, you would still be changing the password through a Bluetooth API/endpoint which is probably still vulnerable From my perspective, running the telnet service (with easy root access) on production-grade firmware is a joke.
Some have argued that it is not possible for cameras to connect to two devices simultaneously.
“To people who say you can’t connect two devices to the camera simultaneously via Wi-Fi: you can and I just did,” bmajkii wrote.
“Imagine you’re on vacation and strolling through the bustling city center while recording footage through your camera (as far as I’ve checked all vulnerable ‘consumer’ cameras). All it takes for a potential attacker to infect your phone/PC with malware is to sit on a bench with a laptop and a running python script and you try to open later a file that is on the SD card that you thought was a video you recorded.
Picture credits: Header photo by Ryan Mense for PetaPixel.