Insta 3 shity one x2

From Rollerbladers Wiki
Jump to navigation Jump to search

If you are planing to purchase one of these cameras for $600 CAD plus tax for your inline skating activities, you may be interested in making a well informed consumer decision.. before you buy it and cannot return it.

Insta360 one x2 cameras have been making quite the buzz around the inline skating community, but what not one talks or looks into are the downsides (at the time of this writing) because all these skaters want, is the free stuff that comes with promoting this product.

Update: 23 June 2022. Since this article was written and became public. This hosting platform has been a target of denial of service attacks

App

The google play rating and feedback about the app, is quite telling. Other than that:

  • The app .apk is huge (+~- 500 mb) for what it appears to do. Over bloated for it's real practical use. The mobile app is very minimal for video use.
  • 70% of the app is mostly videos and or shortcuts to videos that can be found on youtube to promote how amazing the camera is and the miracles you can do
  • 15% of the app is forum and user help
  • 10% gather info and spy on you
  • 5% is user features

Overall, in comparison with the hardware, the mobile app is, in all honesty... garbage and just dumps advertisement on the user.

Supported platforms

  • Windows, MAC and android Linux
  • Linux desktop is NOT supported. (the manufacturer does not like Linux platforms)
  • Unix NOT supported

Voice control

In addition to spelling (which is expected) voice control is sensitive to accent and tone. The camera needs you to speak the way the camera wants. Does not learn from you. You cannot program it to your voice. If your tone changes (cold, sinus, health, etc), you will be talking to a brick.

It will be very interesting if you talk to it while drunk.

Bluetooth and Wifi

Bluetooth and wifi cannot be turned off to save battery consumption. They are always on which also broadcasts their signal to remote attackers that will will exploit the known vulnerabilities stated bellow as well as new ones. Wireless technology does have and will keep have vulnerabilities.

Bluetooth connection

Although this may depend on your mobile device operating system and or hardware, bluetooth connection from the mobile device to the camera, is hard, troublesome, fails most of the time, and keeps asking for a pin to establish connection. However, such functional pin is nowhere to be found in any way shape or form anywhere.

Online help in regards to bluetooth connection is little to ineffective in solving the problem. This includes official manufacturer information.

Devices used:

  • Pixel 5 + google android 12
  • Iphone with OS 12
  • Samsung galaxy 5 + LineageOS 18
  • IdeaPAd L340 + Windows 10
  • Gentoo Linux

Premium lens

Insta360 one x2 Insta 360 screen taken directly from the .insv video file

This is the first time the camera was used to shoot while using premium lens and the camera was mounted vertically on top of the shoulder on a backpack. The image bellow is the screen capture of the result. The camera had also been calibrated.

Boiling temperature

Insta360 one x2 temperature after a few minutes recording
  • At 15 minutes of recording run time the temperature was over 41 C
  • At 30 minutes of recording run time the temperature was over 42 C

Privacy

While privacy of what content you willingly and knowingly publish out there, is under your control, this camera, does somethings behind the curtains, that you don't know or perhaps do not care and this camera is by it's default operation a privacy destroyer.

Forced activation

In order to be able to use the camera you need to be connected online to register it for the first time. If you do not go online, you cannot use it.

Imagine that in order to use your skates on your feet, they need to be activated by the manufacturer that needs to know where you are using them

When you activate the camera, the other side gets information about you that includes, but not limited to your location, ip address, device used and more.

The forced activation reason is to prevent YOU, the owner of the camera, to re-sell it. You the owner, must not re-sell the camera without permission. You pay for something that you do not fully own but think you do.

leftInsta360 one x2 forced activation and forbidden re-sell without permission

See also:

Forced dual wireless connection

In order to be able to to access the camera with your mobile device, you have to have data access to the internet as well as your wifi active. The wifi connection will connect to the camera and the app will use the your internet data connection provider to register the camera and send your information to someone on the other side.

You cannot use just one connection. It forces you to use both on the mobile app

GPS location

In order to use the mobile app, the user is forced to activate the mobile device gps and allow the app to access it. This is done under the excuse that it needs it to find the remote device. Many mobile apps do this but in reality the only thing needed is nearby devices feature active and all this could use bluetooth instead. However, the manufacturer wants to know where you are. (see where these devices are manufactured and what that country is doing tracking drones).

Imagine that to connect your computer to your home wifi, you will have to provide your gps location to the manufacturer of your computer or home router.

VPN

VPN The mobile app vpn feature conflicts with your other vpn setup on or mobile device. The app itself provides a proxy feature that is a vpn.

Forced VPN shutdown

If you have a vpn setup on your phone, (work, personal, professional and or security reasons), you will have to shut it down in order to be able to use the mobile app to access the camera by wifi.

If your mobile vpn setup is set to prevent all mobile apps to leak information to the internet and block apps without vpn access for higher security or due to vpn remote security settings, you will have to shut all this down which effectively will allow all apps to work normal and leak information to any internet service they want.

In order words, you cannot use your mobile vpn if you want to access the camera by wifi. You have to turn you vpn off and let all apps go free access anywhere.

The manufacturer of this camera, wants to know your internet location and address.

Vulnerabilities

This camera has a hardcoded admin/root login password and is always by default: 88888888 for all cameras. Given to be hardcoded, it is not possible for the end user to change it.

Anyone finding your camera wifi signal (ssid) can easily connect to your camera using that wifi password and visiting the URL bellow with their browsers and see all your camera content.

http://192.168.42.1:80/DCIM/Camera01

It would be trivial for a hacker to do a drive-by attack on these camera, injecting malware into the SDcard which would later be read by your work/home computer... in fact, I'm pretty sure this could be wormable, using one camera to attack another in a cascading effect.

Telnet access

The camera has a non-encrypted telnet server (which even Windows and macOS have removed) that lets one login as the root user.

Vulnerabilities discussion

Starting at minute 14:40

Recommendation

  • If you do not need to make 360 videos. Using the smartphone on a selfie stick.is a far better and less troublesome option.
  • If you need to make 360 videos, find something else or bite the bullet in regards to all these downsides.
  • If you use this camera and or it's software, edit your videos on a device without internet connection.
As it stands, if you care about privacy and security of your data (and mobile device), I advise against using this camera anywhere else other than inside a Faraday cage.

Links

Bluetooth PIN issue

Additional problems

Gps remote

Ambarella chip