#cybersecurity | #infosec | Internet-enabled dash cams that allow anyone to track your GPS location in real-time


Internet-enabled dash cams that allow anyone to track your location in real-time

Internet-enabled dash cams that allow anyone to track your location in real-time

Joseph Cox at Motherboard reports that car drivers who have installed a BlackVue dash cam into their vehicle can have their real-time GPS location tracked.

The issue was highlighted by infosec professional Lee Heath on Christmas Day, who received a BlackVue dash cam as a gift.

Motherboard explained how it was able to extract location data via the BlackVue iPhone app:

By reverse engineering the iOS version of the BlackVue app, Motherboard was able to write scripts that pull the GPS location of BlackVue users over a week long period and store the coordinates and other information like the user’s unique identifier. One script could collect the location data of every BlackVue user who had mapping enabled on the eastern half of the United States every two minutes. Motherboard collected data on dozens of customers.

With that data, we were able to build a picture of several BlackVue users’ daily routines: one drove around Manhattan during the day, perhaps as a rideshare driver, before then leaving for Queens in the evening. Another BlackVue user regularly drove around Brooklyn, before parking on a specific block in Queens overnight. The user did this for several different nights, suggesting this may be where the owner lives or stores their vehicle. A third showed someone driving a truck all over South Carolina.

A screenshot of the location data of one Blackvue user that Motherboard tracked throughout New York.
An obfuscated screenshot of the location data of one BlackVue user that Motherboard tracked throughout New York. Source: Motherboard.

BlackVue says that it has now updated its security measures.

Concerns about the security and privacy of vehicle dash cams is nothing new.

In September 2018, it was disclosed that one vendor’s dash cams were sharing video footage from vehicles and real-time GPS location details by default – a design decision that was criticised for its “sheer unadulterated incompetence” that resulted in the “massive breach of their customers’ security and trust”

The name of that dashcam manufacturer? BlackVue.

You can hear what he had to say about that in a “Smashing Security” podcast we recorded at the time.

Graham Cluley