Updates:
- 2022-1-28 – Additional details.
- 2022-1-31 – Added link to YouTube video discussion.
Over on REDDIT I found a troubling post about the 360 camera I am currently reviewing:
Doing a bit of searching led me to more information elsewhere in a forum post from 3/6/2021:
https://www.goprawn.com/forum/ambarella-cams/19528-insta360-one-x2-runs-on-amba
How can a popular consumer product have a hard-coded WiFi password that gives access to all your photos and videos? Even worse, how can it have a non-encrypted telnet server (which even Windows and macOS have removed) that lets one log in as the root user without needing a password?
Since this information has been public for at least almost a year, and the problem remains in the most recent firmware update (dated 1/22/2022 as of this writing), either Insta360 is unaware of the problem or doesn’t think it is a problem.
Either way, I think I’m going to change the root password on mine, and a REDDIT reply says you can change the WiFi password if you don’t mind manually connecting WiFi to the camera each time.
Baby steps.
Until next time…
Additional Details
WiFi password is reportedly generated by Bluetooth, and ends up in a temporary file created each time:
/tmp/wpa_supplicant.conf
The script that generates this file is in /usr/local/share/script/
There, I see places where AP_PASSWD is set, overwriting a default of 1234567890 listed in wifi.conf/wifi.ap.conf.
ap_start.sh may be the one (AP = access point).
I will share details on if there is any easy way to alter the password from the default, assuming the Insta360 app allows that. My thought is generating a new file on startup and making it read-only so the app cannot overwrite it.
Shared Security Show on YouTube
Discussed at the 14:40 mark.
Pingback: ScrewX2 and the Insta360 WiFi security hole. | Sub-Etha Software
Pingback: Insta360 X3 360 camera released | Sub-Etha Software
Pingback: Insta360 X3 firmware bug list | Sub-Etha Software
Pingback: Insta360 ONE X2 firmware bug list | Sub-Etha Software