Surfacing Insta360: Strategic Infiltration, Cybersecurity Risks and National Security Implications of China's Action Camera Giant

LJ EADS & RYAN CLARKE

Executive Summary

1. Introduction to Insta360: Based in Shenzhen, Insta360 has gained global recognition for its cutting-edge 360-degree video technology, challenging GoPro in U.S. and international markets. Founded by Jingkang Liu, a "40 Under 40" business elite with ties to the CCP through his role as a promotion ambassador for the 5th World Hakka Youth Conference, its products are widely used by 134 million individuals, businesses, government agencies, and the U.S. military.

2. Partnerships with Huawei and DJI: Insta360’s collaborations with Huawei and DJI—both scrutinized for ties to the Chinese Communist Party (CCP) and its People’s Liberation Army (PLA)—highlight potential risks of integrating Chinese technology into critical sectors, given past concerns about data security and espionage.

3. Cybersecurity Vulnerabilities: Insta360 products, including the Insta360 X4, exhibit significant cybersecurity flaws, such as weak hardware protections, unauthenticated data transmission, and excessive data collection, making them vulnerable to exploitation by malicious actors.

4. Overcollection of User Data: The Insta360 app collects a wide range of user information, including IMEI numbers, location settings, user profiles, and third-party account details, often without meaningful opt-out options, raising serious privacy concerns.

5. Audio Exfiltration Risks: Audio data captured through Insta360 devices is transmitted to Chinese iFlyTek servers without user notification or clear data usage policies, potentially enabling unauthorized surveillance or data misuse.

6. National Security Concerns: Insta360’s vulnerabilities present broader national security risks, particularly given its potential alignment with China’s Military-Civil Fusion strategy and the CCP’s ability to compel data access under Chinese law.

7. Integration into U.S. Military and Government Operations: Insta360 cameras have been used in NASA projects, military platforms like the Air Force’s HH-60G Pave Hawk and CV-22 Osprey, and available at DoD Exchanges to be sold to U.S. Service Members raising concerns about the exposure of sensitive data and operations through vulnerable technology. These cameras can either actively or passively collect national security-critical data continuously with a degree of fidelity and precision that is likely impossible through any other means, including human sources.

8. Connections to ByteDance and Foreign Servers: The app communicates with 276 foreign endpoints, including ByteDance, Huawei, China Telecom-related domains, amplifying concerns about data aggregation, surveillance, and potential misuse by foreign entities. ByteDance is the parent company that owns TikTok, a CCP subversion operation.

9. Use of U.S.-Origin Components: Insta360 incorporates U.S.-made components, such as Ambarella vision processors and Micron flash memory, raising risks of reverse engineering, intellectual property leakage, and dual-use technology exploitation.

10. Facial Recognition Technology and Mass Surveillance: Insta360's patented facial recognition innovations enable precise tracking of individuals in crowded environments, potentially supporting mass surveillance and human rights abuses if leveraged by the CCP, exported to authoritarian regimes and/or clandestinely deployed inside the United States or Allied environments.