Post

Conversation

Byron Wan
@Byron_Wan
🇨🇳 Insta360 cameras, which are used by NASA, USAF and many other Americans, are collecting data and communicating with servers in China and Russia, posing a potential national security threat. Liu Jingkang (JK Liu; 刘靖康), the founder and CEO of Shenzhen-based 🇨🇳 Arashi Vision (d.b.a. Insta360; 影石科技) which makes the cameras, has ties to the CCP through his appointment as a "promotion ambassador" for a United Front-affiliated event, the 5th World Hakka Youth Conference. Insta360 X4 cameras have been found to be communicating with 276 foreign endpoints, many in China and Russia, including about a dozen belonging to TikTok owner Bytedance as well as to Huawei and to state-owned China Telecom, both of which are under US sanctions. These cameras can either actively or passively collect national security-critical data continuously with a degree of fidelity and precision that is likely impossible through any other means, including human sources. The cameras have become deeply embedded in NASA's work, capturing high-profile moments such as the live streaming of the landings on Mars by InSight and Perseverance and creating immersive VR tours of NASA facilities. NASA purchased the cameras in 2018. The Insta360 cameras and the associated app were used with devices that were not connected to a NASA network. During the landing broadcasts for Perseverance in 2021 and InSight in 2018 the camera was used to provide imagery, but neither were on NASA's internal or external facing network. The cameras have HDMI outputs. Software was used to switch between the two video feeds and was streamed to YouTube. The camera also was used for panoramic views in virtual tours of NASA's Glenn Research Center in Cleveland. The cameras did not undergo a security review prior to purchase, however, editing software used on NASA computers adhere to regularly audited security controls. Today, all new devices, whether attached to the network or not, are subject to NASA's security requirements. Insta360 cameras were also being used to document US military activities including in a USAF combat rescue helicopter the HH-60G Pave Hawk, the V-22 Osprey, CH-47 Chinook operations and skydiving by the US Army Black Daggers. The cameras were available at military exchanges for service personnel to purchase for personal use. Insta360 cameras and batteries were on sale at the Army Exchange at Schofield Barracks in Hawaii, sharing a rack with GoPro cameras. The camera is listed for sale on US Navy’s NEX Exchange website. The camera's app was allegedly sending the IMEI number of the smart device as well as its manufacturer, model, serial number, mobile operating system, and the user's gender, hobbies and birthdays. Also: third-party login account information, pictures, video and text content. The Android version of the app gathered permissions that might not be related to the functionality of the app, including current and recent running tasks, audio, images and video files, and active calls and other phone numbers. This could all be aggregated into extensive profiles on US citizens. The combination of data overcollection, audio exfiltration, and insecure data transmission creates a perfect storm of vulnerabilities for US users. Security vulnerabilities have been identified in the camera's firmware and hardware. Audio data captured through Insta360 devices appeared to be transmitted to servers belonging to 🇨🇳 iFlyTek without user notification or clear data usage policies. iFlyTek is sanctioned by the US on national security grounds. Insta360's Android app requests some permissions that relate only tangentially to its core functions and that raised privacy concerns. Escalating the concern is Insta360's partnership with companies that supported the PLA such as Huawei and DJI. GoPro filed a complaint with the US International Trade Commission in 2024 against Insta360 alleging patent infringement. The investigation is ongoing. newsweek.com/exclusive-how-
Image
19.4K
Views