Update: I decided that after two years and unfortunately no positive results from BlackVue publishing this post was in the public interest especially with the rise in car crime, while not directly related to BlackVue, I figured it best be brought to peoples' attention.
I said at the start of 2022, when I originally wrote this blog post, that I was done with blog posts until I published LTR102.
One weekend in 2022, I bought a new dashcam, and while reading through the functionality, I came across the 'connect to the cloud' option from within the mobile application.
Now, my dashcam came with an LTE module to enable 'cloud connectivity'; my initial understanding was that this feature enabled push notifications to my phone if the camera detected motion or a bump to the car, which is perfectly reasonable.
Well, you would be wrong because, simply put, anyone with access to a mobile device(and it works in the browser, too) can download the Blackvue mobile application, open it up and select 'connect to the cloud'; no need for having a camera prior or anything like that.
For starters, this is pretty bad, but as these things go, it gets worse.
Signing up was as easy as dropping an email in(in this case, Gmail/Apple Private Relay), and it auto-signed me in via Gmail/Apple Private Relay depending on what OS app was chosen.
From here, I was able to view not only the geographic location of dashcams but also live feeds of what was going on.
Antisocial Engineer also informed BlackVue in November of 2020 about this but it appeared they did not want to resolve it and chalked it up to a feature.
I am not the first person to find or even report this to Blackvue.
Hi, I would like to raise a potential security issue, while digging around that I found that it's possible to views ANYONE'S dashcam who has a Blackvue Cloud account and who has not changed their default configuration.
Access the APP > connect to cloud > select a camera So have I've listened to conversions is in the car, viewed questionable driving and gained address and security information by watching cars access properties/garages.
Final verdict from BV:. It's a case of personal choice, personally it's not for me - viewing other people or being viewed by other people - but it's a feature that's available for those that want it.
The feature is a mature one, having been available for nearly 5 years.
Vice wrote about this same issue in Jan 2020 but it appears Blackvue changed some settings but refused to take responsibility for the privacy impacts of their application and the 'features'.
The easiest solution is not having a cloud-connected BlackVue at all, but if you do have one, turn off the GPS option within settings to prevent access.
This Cyber News was published on blog.zsec.uk. Publication date: Sat, 16 Mar 2024 00:13:22 +0000