As reported by Cybernews (opens in new tab), a Reddit user made a post (opens in new tab) on the Insta 360 subreddit back in January of this year in which they revealed they had discovered a serious vulnerability in the Insta360 One X2 camera. Apparently, when the camera is on, “it’s always broadcasting a 5G Wi-Fi signal that is named ‘One X2 XXXXXX.OSC’ where the X marks the last characters of your camera’s serial number”. This makes it possible for users to connect to their Insta360 cameras over Wi-Fi but the flaw allows anyone else to do so as well. At the same time, the eight symbol password which consists of a single number is the same for every device and as a result of firmware limitations, users aren’t able to change their passwords.
An easy way to infect users with malware
The Reddit user also discovered that by following a simple URL with an IP address of the camera that they could access and download photos and videos right from a browser. This makes it possible to gain root access to the camera over Wi-Fi. From here, an attacker with basic tools could put malware on the camera’s SD card which could then be easily transferred to their computer when they plug it in. Unlike other malware infections, users might not even be aware that their devices had become infected as they hadn’t visited any suspicious sites or downloaded any malicious content onto their devices.
Still unpatched
Even though this flaw was discovered seven months ago, Insta360 has yet to release a fix despite the fact that the Shenzen-based company is likely aware of the issue. In the Reddit post, another user pointed out how an attacker could easily target Insta360 owners using just a laptop running a python script. In an email to Tom’s Guide, a company spokesperson for Insta360 explained that the company has been working on updating the firmware for its devices as well as its app for the past few months. Once these changes are finalized, users will be able to choose their own password for additional security and it will no longer be possible to access content from an Insta360 camera through a web browser. We don’t have a set date as to when these changes will be rolling out but hopefully, they’ll arrive soon.
How to stay safe until a fix is released
Until this issue is fixed once and for all, it might be best to leave your Insta360 camera at home while traveling. While you can still use it around your house, an attacker could pull off a ‘drive-by attack’ and infect your camera with malware. If you’re really concerned about falling victim to a potential attack, letting your device run out of battery or removing the battery altogether and storing it in a closet may be the safest thing you can do until a fix is released.