Earlier this year, a major vulnerability in Insta360 camera software was discovered by users on Reddit. In short, it let anyone connect to any Insta360 camera and download the photos. Seven months later and much of the issue remains unfixed.
In January, Reddit user cmdr_sidhartagautama published a detailed breakdown of a vulnerability he discovered in the Insta360 One X2 camera. He realized that out of the box, the camera would always broadcast a Wi-Fi signal named “ONE X2 XXXXXX.OSC,” where the “X” stands for the last characters of any camera’s serial number.
Anyone in range of the camera could discover this network on their laptop or smartphone, but most probably weren’t concerned since it still required a password. But cmdr_sidhartagautama pointed out that the password to Insta360 cameras is not only always the same on every camera, but it also cannot be changed.
“This camera has more holes than Swiss cheese. Honestly, I don’t remember seeing a consumer product — with a reach as big as Insta360 — as insecure as this. This is beginner CTF levels of broken… and in multiple places,” he writes.
In that report, cmdr_sidhartagautama was able to connect to the camera and see all of the content on it using a computer browser and a specific URL. He also demonstrated the ability to gain root access to the camera over Wi-Fi.
“It would be trivial for a hacker to do a drive-by attack on these cameras, injecting malware into the SD card which would later be read by your work/home computer… in fact, I’m pretty sure this could be wormable, using one camera to attack another in a cascading effect,” cmdr_sidhartagautama claims.
While the report is now months old, the issue was brought to PetaPixel’s attention late last week when a new Reddit post noted that the issue had not yet been fixed by Insta360 despite being brought to the company’s attention back in January.
PetaPixel reached out to Insta360 for comment.
“We are indeed aware of it and have been working on updating the firmware and app in the past few months based on the user feedback from our community,” an Insta360 representative says.
“Currently the list_directory has already been terminated and it is no longer possible to access the camera content through the browser. We’re also updating the app and firmware to let users change their own password to improve security. This change will be announced to users in the app/firmware release notes once implemented.
“We’ll make sure to follow up and implement the app/firmware update in a reasonable timeframe.”
Being able to change the camera’s Wi-Fi name and password would be helpful, but according to cmdr_sidhartagautama, it won’t fix the issues entirely.
“It has been suggested by some users that just putting a user-chosen (or randomized) Wi-Fi password would fix the issue. It won’t,” they say.
“And the reason is that the API the camera is using does not do any authentication on the request meaning any app installed on the device (including a malicious one that you don’t know is there to steal your videos/photos or install malware on your SDCARD) can make an HTTP request to the camera’s IP and access that API, if you are connected to the camera.”
Another Redditor, bmajkii, agrees.
“I’m not really sure why people are trivializing the issue both here and in the original thread. Flaws found are serious security risks. Any decent product companies with security integrity in mind would have fixes/mitigation plans in place before you’d even seen such posts on Reddit (because they have proper channels for reporting security vulnerabilities),” they write.
“Hardcoded Wi-Fi password is just one of the issues. Even if it would be allowed to be changed, you would still be changing the password via some Bluetooth API/endpoint that is probably still vulnerable. From my perspective running telnet service (with easy root access) on production grade firmware is a joke.”
Some argued that it was not possible for the cameras to connect to two devices simultaneously.
“To people saying you cannot connect two devices to the camera simultaneously over Wi-Fi: you can and I just did,” bmajkii writes.
“Imagine that you’re on vacation and strolling through busy city center while recording some footage via your camera (as far as I checked all “consumer” cameras ale vulnerable). All it takes for potential attacker to infect your phone/PC with malware is to sit there on a bench with a laptop and some python script running and you to try to later open some file that is on the SD card that you thought is a video you recorded.”
Image credits: Header photo by Ryan Mense for PetaPixel.
© 2022 PetaPixel
Vulnerability in Insta360 Cameras Lets Anyone Download Your Photos – PetaPixel
06/09/2022 360 Photography