Insta 3 shity one x2
If you are planing to purchase one of these cameras for $600 CAD plus tax for your inline skating activities, you may be interested in making a well informed consumer decision.. before you buy it and cannot return it.
Insta360 one x2 cameras have been making quite the buzz around the inline skating community, but what not one talks or looks into are the downsides (at the time of this writing).
App
The google play rating and feedback about the app, is quite telling. Other than that:
- The app .apk is huge (+~- 500 mb) for what it appears to do. Over bloated for it's real practical use. The mobile app is very minimal for video use.
- 70% of the app is mostly videos and or shortcuts to videos that can be found on youtube to promote how amazing the camera is and the miracles you can do
- 15% of the app is forum and user help
- 10% gather info and spy on you
- 5% is user features
Overall, in comparison with the hardware, the mobile app is, in all honesty... garbage and just dumps advertisement on the user.
Supported platforms
Voice control
In addition to spelling (which is expected) voice control is sensitive to accent and tone. The camera needs you to speak the way the camera wants. Does not learn from you. You cannot program it to your voice. If your tone changes (cold, sinus, health, etc), you will be talking to a brick.
It will be very interesting if you talk to it while drunk.
Bluetooth and Wifi
Bluetooth and wifi cannot be turned off to save battery consumption. They are always on which also broadcasts their signal to remote attackers that will will exploit the known vulnerabilities stated bellow as well as new ones. Wireless technology does have and will keep have vulnerabilities.
Bluetooth connection
Although this may depend on your mobile device operating system and or hardware, bluetooth connection from the mobile device to the camera, is hard, troublesome, fails most of the time, and keeps asking for a pin to establish connection. However, such functional pin is nowhere to be found in any way shape or form anywhere.
Online help in regards to bluetooth connection is little to ineffective in solving the problem. This includes official manufacturer information.
Devices used:
- Pixel 5 + google android 12
- Iphone with OS 12
- Samsung galaxy 5 + LineageOS 18
- IdeaPAd L340 + Windows 10
- Gentoo Linux
Privacy
While privacy of what content you willingly and knowingly publish out there, is under your control, this camera, does somethings behind the curtains, that you don't know or perhaps do not care and this camera is by it's default operation a privacy destroyer.
Forced activation
In order to be able to use the camera you need to be connected online to register it for the first time. If you do not go online, you cannot use it.
Imagine that in order to use your skates on your feet, they need to be activated by the manufacturer that needs to know where you are using them
When you activate the camera, the other side gets information about you that includes, but not limited to your location, ip address, device used and more.
Forced dual wireless connection
In order to be able to to access the camera with your mobile device, you have to have data access to the internet as well as your wifi active. The wifi connection will connect to the camera and the app will use the your internet data connection provider to register the camera and send your information to someone on the other side.
You cannot use just one connection. It forces you to use both on the mobile app
GPS location
In order to use the mobile app, the user is forced to activate the mobile device gps and allow the app to access it. This is done under the excuse that it needs it to find the remote device. Many mobile apps do this but in reality the only thing needed is nearby devices feature active and all this could use bluetooth instead. However, the manufacturer wants to know where you are. (see where these devices are manufactured and what that country is doing tracking drones).
Imagine that to connect your computer to your home wifi, you will have to provide your gps location to the manufacturer of your computer or home router.
VPN
VPN The mobile app vpn feature conflicts with your other vpn setup on or mobile device. The app itself provides a proxy feature that is a vpn.
Forced VPN shutdown
If you have a vpn setup on your phone, (work, personal, professional and or security reasons), you will have to shut it down in order to be able to use the mobile app to access the camera by wifi.
If your mobile vpn setup is set to prevent all mobile apps to leak information to the internet and block apps without vpn access for higher security or due to vpn remote security settings, you will have to shut all this down which effectively will allow all apps to work normal and leak information to any internet service they want.
In order words, you cannot use your mobile vpn if you want to access the camera by wifi. You have to turn you vpn off and let all apps go free access anywhere.
Vulnerabilities
This camera has a hardcoded admin/root login password and is always by default: 88888888 for all cameras. Given to be hardcoded, it is not possible for the end user to change it.
Anyone finding your camera wifi signal (ssid) can easily connect to your camera using that wifi password and visiting the URL bellow with their browsers and see all your camera content.
http://192.168.42.1:80/DCIM/Camera01
It would be trivial for a hacker to do a drive-by attack on these camera, injecting malware into the SDcard which would later be read by your work/home computer... in fact, I'm pretty sure this could be wormable, using one camera to attack another in a cascading effect.
Telnet access
The camera has a non-encrypted telnet server (which even Windows and macOS have removed) that lets one login as the root user.
Vulnerabilities discussion
Starting at minute 14:40
Recommendation
- If you do not need to make 360 videos. Using the smartphone on a selfie stick.is a far better and less troublesome option.
- If you need to make 360 videos, find something else or bite the bullet in regards to all these downsides.
- If you use this camera and or it's software, edit your videos on a device without internet connection.
As it stands, if you care about privacy and security of your data (and mobile device), I advise against using this camera anywhere else other than inside a Faraday cage.
Links
- Insta360 one x2 default wifi password and telnet root access
- Insta360 One X2 hidden feature
- Insta360 one x2 mobile device compatibility
Bluetooth PIN issue
- One x2 Bluetooth PIN issue and app problems
- What is the pin I need to connect to bluetooth?
- Bluetooth connection from insta360.com