Vulnerability in Insta360 Cameras Lets Anyone Download Your Photos
-
Loading... - Aline Ndzie
- 31 Aug 2022
- 63 Views
- 0 Like
- 0 Comment
Earlier this year, a major vulnerability in Insta360 camera software was discovered by users on Reddit. In short, it let anyone connect to any Insta360 camera and download the photos. Seven months later and much of the issue remains unfixed.
The Exploit Revealed on Reddit
In January, Reddit user cmdr_sidhartagautama published a detailed breakdown of a vulnerability he discovered in the Insta360 One X2 camera. He realized that out of the box, the camera would always broadcast a Wi-Fi signal named “ONE X2 XXXXXX.OSC,” where the “X” stands for the last characters of any camera’s serial number.
Anyone in range of the camera could discover this network on their laptop or smartphone, but most probably weren’t concerned since it still required a password. But cmdr_sidhartagautama pointed out that the password to Insta360 cameras is not only always the same on every camera, but it also cannot be changed.
“This camera has more holes than Swiss cheese. Honestly, I don’t remember seeing a consumer product — with a reach as big as Insta360 — as insecure as this. This is beginner CTF levels of broken… and in multiple places,” he writes.
In that report, cmdr_sidhartagautama was able to connect to the camera and see all of the content on it using a computer browser and a specific URL. He also demonstrated the ability to gain root access to the camera over Wi-Fi.
“It would be trivial for a hacker to do a drive-by attack on these cameras, injecting malware into the SD card which would later be read by your work/home computer… in fact, I’m pretty sure this could be wormable, using one camera to attack another in a cascading effect,” cmdr_sidhartagautama claims.
While the report is now months old, the issue was brought to PetaPixel’s attention late last week when a new Reddit post noted that the issue had not yet been fixed by Insta360 despite being brought to the company’s attention back in January.
Insta360 Says it is Working On It
PetaPixel reached out to Insta360 for comment.
“We are indeed aware of it and have been working on updating the firmware and app in the past few months based on the user feedback from our community,” an Insta360 representative says.
“Currently the list_directory has already been terminated and it is no longer possible to access the camera content through the browser. We’re also updating the app and firmware to let users change their own password to improve security. This change will be announced to users in the app/firmware release notes once implemented.
“We’ll make sure to follow up and implement the app/firmware update in a reasonable timeframe.” Read More...
