Security Hole in Insta360 Cameras Allows Hackers to See All Content Remotely

According to users on Reddit, there appears to be a security hole in the Insta360 One RS and other cameras that will enable anyone to remotely connect to the camera and download all content.

The hole makes it easy for users to determine an unchangeable WiFi password and connect to the device and gain root access. But the worst part is, that the company has known about it since January.

Image Credit: Insta360

Providing a detailed account of his successful hack of an Insta360 One RS camera straight out of the box, Reddit user “cmdr_sidhartagautama” was able to discover the device’s SSID which is based on the four digits of the camera’s serial number.

“When you have your camera on, it’s always broadcasting a 5G wifi signal that is named “ONE X2 XXXXXX.OSC” where the X marks the last characters of your camera’s serial number,” writes cmdr_sidhartagautama on Reddit.

The irony is, that he wasn’t even trying to hack the device. “I found this vulnerability in less than one hour and I wasn’t even looking for exploits,” cmdr_sidhartagautama added, “but ways to fix the horrible user experience of your cameras.”

Cmdr_sidhartagautama goes on to add that Insta360 gives all their cameras the unchangeable password of “88888888.” Therefore, once a hacker sees the camera’s wifi signal, they can simply brute force the last four digits of the serial number, input the password, and gain full access to the device through a browser by typing the URL “http://192.168.42.1:80/DCIM/Camera01.”

Not only was the user able to remotely access and download all content on the camera, but with a bit of extra poking around, they were able to gain root access, even thru the Insta360 app.

It means that a hacker could not only download private content but also potentially install malware which could then infect a user’s computer when the camera is connected to the desktop.

Image Credit – Insta360

Furthermore, since cmdr_sidhartagautama was able to co-opt the Android app as well. “And, since Insta360 basically asks for control of your mobile device, that means that a hacker that finds the right vulnerabilities (which – from experience, I can tell are probably there) can take control of your device and do everything Insta360 does, remotely,” he concludes.

Other users on Reddit seemed to echo the conclusion. User BMAJKII states: “Hardcoded Wi-Fi password is just one of the issues. Even if it would be allowed to be changed, you would still be changing the password via some Bluetooth API/endpoint that is probably still vulnerable. From my perspective running telnet service (with easy root access) on production-grade firmware is a joke.”

Insta360 has responded to the news stating that it has been working on plugging all the vulnerabilities and holes in the Insta360 firmware, and has stated that it has removed the ability to access the camera using a browser, and will soon release a firmware update that will enable users to change their passwords and SSID names.

Image Credit – Insta360

However, cmdr_sidhartagautama states that won’t really fix the problem since the API that the camera uses can’t authenticate requests from any app on the camera’s microSD card.

So if a hacker manages to get malware installed before the password has been changed, it conceivably could continue to have free reign, infecting other devices. “… any app installed on the device (including a malicious one) can make an HTTP request to the camera’s IP and access that API if you are connected to the camera,”

Fortunately, cmdr_sidhartagautama and other users on Reddit have brought this issue to light.

Security is a serious issue with wifi enabled devices, and it’s high time tech companies spent as much time making the devices secure as they do innovating the new features we crave. Now it only remains to be seen if Insta360 will rise to the occasion and plug all the holes in their leaky damn.

[source: PetaPixel]

Claim your copy of DAVINCI RESOLVE - SIMPLIFIED COURSE with 50% off! Get Instant Access!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.