Vulnerability in Insta360 Cameras Lets Anyone Download Your Photos


Earlier this year, a major vulnerability in Insta360 camera software was discovered by users on Reddit. In short, it let anyone connect to any Insta360 camera and download the photos. Seven months later and much of the issue remains unfixed.

The Exploit Revealed on Reddit

In January, Reddit user cmdr_sidhartagautama published a detailed breakdown of a vulnerability he discovered in the Insta360 One X2 camera. He realized that out of the box, the camera would always broadcast a Wi-Fi signal named “ONE X2 XXXXXX.OSC,” where the “X” stands for the last characters of any camera’s serial number.

Anyone in range of the camera could discover this network on their laptop or smartphone, but most probably weren’t concerned since it still required a password. But cmdr_sidhartagautama pointed out that the password to Insta360 cameras is not only always the same on every camera, but it also cannot be changed.

“This camera has more holes than Swiss cheese. Honestly, I don’t remember seeing a consumer product — with a reach as big as Insta360 — as insecure as this. He writes that this is an example of beginner CTF level broken… in many places.”

In that report cmdr_sidhartagautama demonstrated the ability to access the camera’s content using both a particular URL .. The hacker also showed the ability to get root access to camera via Wi-Fi.

It would not be difficult for hackers to drive-by on these cameras and inject malware into SD cards which could then be read later by your computer at work/home.

While the report is now months old, the issue was brought to PetaPixel’s attention late last week when a new Reddit post noted that the issue had not yet been fixed by Insta360 despite being brought to the company’s attention back in January.

Insta360 Says it is Working On It

PetaPixel reached out to Insta360 for comment.

“We are indeed aware of it and have been working on updating the firmware and app in the past few months based on the user feedback from our community,” an Insta360 representative says.

Currently, the list_directory is closed and the browser cannot access camera content. To improve security, we are also updating firmware and the app. Users can now change their passwords. Once the update is implemented, users will receive notification in their app/firmware releases notes.

“We’ll make sure to follow up and implement the app/firmware update in a reasonable timeframe.”

The Firmware Fix May Not Suffice

Being able to change the camera’s Wi-Fi name and password would be helpful, but according to cmdr_sidhartagautama, it won’t fix the issues entirely.

“It has been suggested by some users that just putting a user-chosen (or randomized) Wi-Fi password would fix the issue. It won’t,” they say.

“And the reason is that the API the camera is using does not do any authentication on the request meaning any app installed on the device (including a malicious one that you don’t know is there to steal your videos/photos or install malware on your SDCARD) can make an HTTP request to the camera’s IP and access that API, if you are connected to the camera.”

Another Redditor, bmajkii, agrees.

I’m not sure why so many people trivialize the topic both in this thread and elsewhere. Flaws found are serious security risks. They write that any decent company with integrity would already have plans and fixes in place for security issues before they were posted on Reddit.

” Hardcoded Wi-Fi password are just a few of the problems. Even if it would be allowed to be changed, you would still be changing the password via some Bluetooth API/endpoint that is probably still vulnerable.

Some argued it wasn’t possible to have two cameras connected simultaneously over telnet.

To people who claim that you can’t connect two cameras simultaneously via Wi-Fi, bmajkii says: “You can. I did.

“Imagine that you’re on vacation and strolling through busy city center while recording some footage via your camera (as far as I checked all “consumer” cameras ale vulnerable). A potential attacker can infect your smartphone/PC by simply sitting down on a bench and running a Python script. Then, you will try later to open a file on the SD card you think is a video that was recorded .”


Image credits: Header photo by Ryan Mense for PetaPixel.