Own an Insta360 camera? This flaw could let anyone access your photos and videos
Serious security flaw has yet to be patched after seven months
A security flaw discovered seven months ago in one of the best 360 cameras could allow anyone to access and download photos and videos captured by an Insta 360 camera.
As reported by Cybernews, a Reddit user made a post on the Insta 360 subreddit back in January of this year in which they revealed they had discovered a serious vulnerability in the Insta360 One X2 camera.
Apparently, when the camera is on, “it’s always broadcasting a 5G Wi-Fi signal that is named ‘One X2 XXXXXX.OSC’ where the X marks the last characters of your camera’s serial number”. This makes it possible for users to connect to their Insta360 cameras over Wi-Fi but the flaw allows anyone else to do so as well.
At the same time, the eight symbol password which consists of a single number is the same for every device and as a result of firmware limitations, users aren’t able to change their passwords.
An easy way to infect users with malware
The Reddit user also discovered that by following a simple URL with an IP address of the camera that they could access and download photos and videos right from a browser.
This makes it possible to gain root access to the camera over Wi-Fi. From here, an attacker with basic tools could put malware on the camera’s SD card which could then be easily transferred to their computer when they plug it in.
Unlike other malware infections, users might not even be aware that their devices had become infected as they hadn’t visited any suspicious sites or downloaded any malicious content onto their devices.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Still unpatched
Even though this flaw was discovered seven months ago, Insta360 has yet to release a fix despite the fact that the Shenzen-based company is likely aware of the issue.
In the Reddit post, another user pointed out how an attacker could easily target Insta360 owners using just a laptop running a python script.
In an email to Tom's Guide, a company spokesperson for Insta360 explained that the company has been working on updating the firmware for its devices as well as its app for the past few months.
Once these changes are finalized, users will be able to choose their own password for additional security and it will no longer be possible to access content from an Insta360 camera through a web browser. We don't have a set date as to when these changes will be rolling out but hopefully, they'll arrive soon.
How to stay safe until a fix is released
Until this issue is fixed once and for all, it might be best to leave your Insta360 camera at home while traveling.
While you can still use it around your house, an attacker could pull off a ‘drive-by attack’ and infect your camera with malware.
If you’re really concerned about falling victim to a potential attack, letting your device run out of battery or removing the battery altogether and storing it in a closet may be the safest thing you can do until a fix is released.
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.