The issue was highlighted by infosec professional Lee Heath on Christmas Day, who received a BlackVue dash cam as a gift.
New gift. BlackVue dashcam. The app allows anyone to sign up. And some people are sharing their dashcam footage which includes GPS. Like a doorbell camera but worse. WTF? pic.twitter.com/Vgza9juC3w
— MadHat Unspecific – InfoSec Mercenary (@unspecific) December 25, 2019
Motherboard explained how it was able to extract location data via the BlackVue iPhone app:
By reverse engineering the iOS version of the BlackVue app, Motherboard was able to write scripts that pull the GPS location of BlackVue users over a week long period and store the coordinates and other information like the user’s unique identifier. One script could collect the location data of every BlackVue user who had mapping enabled on the eastern half of the United States every two minutes. Motherboard collected data on dozens of customers.
With that data, we were able to build a picture of several BlackVue users’ daily routines: one drove around Manhattan during the day, perhaps as a rideshare driver, before then leaving for Queens in the evening. Another BlackVue user regularly drove around Brooklyn, before parking on a specific block in Queens overnight. The user did this for several different nights, suggesting this may be where the owner lives or stores their vehicle. A third showed someone driving a truck all over South Carolina.
BlackVue says that it has now updated its security measures.
Concerns about the security and privacy of vehicle dash cams is nothing new.
In September 2018, it was disclosed that one vendor’s dash cams were sharing video footage from vehicles and real-time GPS location details by default – a design decision that was criticised for its “sheer unadulterated incompetence” that resulted in the “massive breach of their customers’ security and trust”
The name of that dashcam manufacturer? BlackVue.
You can hear what he had to say about that in a “Smashing Security” podcast we recorded at the time.