Insta360 vulnerability allows unauthorized access to user photos


A software flaw discovered seven months ago allows anyone to access and download photos users made with Insta360 cameras.

Reddit user cmdr_sidhartagautama discovered the vulnerability affecting Insta360 One X2 device in January 2022.

“When you have your camera on, it’s always broadcasting a 5G Wi-Fi signal that is named “ONE X2 XXXXXX.OSC” where the X marks the last characters of your camera’s serial number. So, you (or anyone else) can connect to that Wi-Fi network,” the Reddit user wrote.

To make matters worse, eight symbol password consisting of a single number is the same for every device. Due to firmware limitations, users cannot change their password. That means that virtually anyone in the vicinity of the camera can connect to it.

Investigating further, cmdr_sidhartagautama discovered that following a simple URL with an IP address of the camera holder allowed to access and download camera content straight from the browser.

“Hassle free content sharing! This is brilliant if you ask me. Literally, ZERO barrier to entry,” the Reddit user behind the discovery wrote sarcastically.

According to cmdr_sidhartagautama, the user could gain root access to the camera over Wi-Fi. The user added that threat actors with basic tools could perform a drive-by attack on the camera, injecting malware into the SD card, which would transfer malware to the user’s computer.

“In fact, I’m pretty sure this could be wormable, using one camera to attack another in a cascading effect,” cmdr_sidhartagautama said.

Another Reddit post from six days ago claims that the vulnerability still hasn’t been fixed, even though close to eight months have passed since it was first reported. While some users were dismissive of the vulnerability on the subreddit dedicated to Instax360, others were more concerned.

“Imagine that you’re on vacation and strolling through a busy city center while recording some footage via your camera. All it takes for a potential attacker to infect your phone/PC with malware is to sit there on a bench with a laptop and some python script running […],” Reddit user bmajkii explained.

Aware of the problem

Makers of the camera say they are aware of the problem and are working on a fix. According to Insta360 representative, the company has been working on a firmware update based on the feedback users provided.

"We're updating the app and firmware to let users change their own password to improve security. The list_directory will be terminated and it will be no longer possible to access the camera content through the browser," company's representative told Cybernews.

The changes should prevent unauthorized access to user photos via browser. The company says that the changes will be announced to users in the app and firmware release notes, once the changes are implemented. However, no specific deadline for the said updates was set.

Insta360 was established in 2015 and is headquartered in Shenzhen, China. The company also has offices in the US, Japan, and Germany.