Skip to main content

Own an Insta360 camera? This flaw could let anyone access your photos and videos

Insta360 One X2
(Image credit: Future)

A security flaw discovered seven months ago in one of the best 360 cameras could allow anyone to access and download photos and videos captured by an Insta 360 camera.

As reported by Cybernews (opens in new tab), a Reddit user made a post (opens in new tab) on the Insta 360 subreddit back in January of this year in which they revealed they had discovered a serious vulnerability in the Insta360 One X2 camera.

Apparently, when the camera is on, “it’s always broadcasting a 5G Wi-Fi signal that is named ‘One X2 XXXXXX.OSC’ where the X marks the last characters of your camera’s serial number”. This makes it possible for users to connect to their Insta360 cameras over Wi-Fi but the flaw allows anyone else to do so as well.

At the same time, the eight symbol password which consists of a single number is the same for every device and as a result of firmware limitations, users aren’t able to change their passwords.

An easy way to infect users with malware

Malware

(Image credit: solarseven/Shutterstock)

The Reddit user also discovered that by following a simple URL with an IP address of the camera that they could access and download photos and videos right from a browser.

This makes it possible to gain root access to the camera over Wi-Fi. From here, an attacker with basic tools could put malware on the camera’s SD card which could then be easily transferred to their computer when they plug it in.

Unlike other malware infections, users might not even be aware that their devices had become infected as they hadn’t visited any suspicious sites or downloaded any malicious content onto their devices.

Still unpatched

Even though this flaw was discovered seven months ago, Insta360 has yet to release a fix despite the fact that the Shenzen-based company is likely aware of the issue.

In the Reddit post, another user pointed out how an attacker could easily target Insta360 owners using just a laptop running a python script.

In an email to Tom's Guide, a company spokesperson for Insta360 explained that the company has been working on updating the firmware for its devices as well as its app for the past few months. 

Once these changes are finalized, users will be able to choose their own password for additional security and it will no longer be possible to access content from an Insta360 camera through a web browser. We don't have a set date as to when these changes will be rolling out but hopefully, they'll arrive soon.

How to stay safe until a fix is released

Insta360 One X2

(Image credit: Future)

Until this issue is fixed once and for all, it might be best to leave your Insta360 camera at home while traveling.

While you can still use it around your house, an attacker could pull off a ‘drive-by attack’ and infect your camera with malware.

If you’re really concerned about falling victim to a potential attack, letting your device run out of battery or removing the battery altogether and storing it in a closet may be the safest thing you can do until a fix is released. 

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.