Full Report
Community Feature - @ZephrFishCurated Intelligence Staff member ZephrFish recently uncovered concerning private information leak in BlackVue vehicular dashcams. Customers of BlackVue dashcams appear to be unknowingly exposing their precise GPS locations of their vehicles. To make matters worse, this is the default 'always on' setting. Anyone with the app can find other vehicles publicly broadcasting their geolocation and anyone can monitor the footage captured by the dashcam. The BlackVue app also has no email verification and is free.https://twitter.com/ZephrFish/status/1480155179144130561?s=20Other security researchers have reportedly informed BlackVue about the privacy leak in the past. BlackVue stated that it is a feature, not a bug and has no plans to make any changes. ZephrFish found that it was possible to monitor the feeds of emergency services vehicles, such as ambulances and police cars, as well as other normal road users. Some of the BlackVue dashcams also have audio enabled, meaning anyone could listen to the user's conversations while in their vehicles. Another point that someone raised is that this also affects EU customers under GDPR regulations. Inadvertently broadcasting the GPS location of even private cameras is a breach of GDPR.Could be good for OSINT!Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Vulnerability: BlackVue Dashcam Geolocation and Video/Audio Leakage
## CVE Details
- **CVE ID:** Not explicitly provided in the text, this appears to be a design flaw/privacy issue rather than a specific, patched CVE.
- **CVSS Score:** Not provided. Based on the description (public exposure of location, video, and audio), the potential severity is high.
- **CWE:** Not provided, but related to Insecure Design or Exposure of Sensitive Information.
## Affected Systems
- **Products:** BlackVue vehicular dashcams utilizing the associated application/service.
- **Versions:** Implied to affect older firmware/configurations where this setting is default and unchangeable.
- **Configurations:** Systems where the privacy feature exposing location, footage, and potentially audio is set to the default 'always on' mode.
## Vulnerability Description
BlackVue dashcams, by default and without requiring email verification for the app, expose precise GPS locations of the vehicles publicly through the associated BlackVue application. This configuration allows anyone with the app to monitor the geographical location and live video footage captured by the dashcam. Furthermore, if audio is enabled on the camera, conversations inside the vehicle could also be monitored. This vulnerability significantly impacts user privacy and potentially violates GDPR for EU customers by inadvertently broadcasting the location of private property. BlackVue reportedly views this as a feature, not a bug, and has no current plans to change it.
## Exploitation
- **Status:** Functionality publicly available/known; potentially exploitable by anyone with the BlackVue app. (Described as exposing data publicly if the feature is enabled, not requiring specific remote exploitation techniques).
- **Complexity:** Low (Requires only having access to the BlackVue application which is free and lacks email verification).
- **Attack Vector:** Network/Application Access (Exploiting the public sharing feature of the connected system).
## Impact
- **Confidentiality:** High (Exposure of real-time precise GPS locations, video feed, and internal conversations).
- **Integrity:** Low (No indication of data tampering capability).
- **Availability:** Low (No direct impact on dashcam operation).
## Remediation
### Patches
- **Status:** No patches are explicitly mentioned as BlackVue reportedly considers this a "feature."
### Workarounds
- **Disabling Public Sharing:** Users must actively check and disable the feature within the BlackVue application that broadcasts geolocation and video feeds to the public network.
- **Disabling Audio:** If audio recording is a concern, users should disable audio capture on the dashcam settings.
## Detection
- **Indicators of Compromise:** Unexpected network activity from the dashcam beyond necessary cloud synchronization; unauthorized viewing of camera feeds or location tracking history if the system logs access.
- **Detection Methods and Tools:** Reviewing the privacy settings within the BlackVue companion application to confirm that location sharing and video broadcasting are explicitly disabled.
## References
- Vendor advisories: None found (Vendor maintains it is a feature).
- Relevant links - defanged:
- Security Researcher Disclosure (Twitter): hxxps://twitter.com/ZephrFish/status/1480155179144130561?s=20
- Initial Report (Blog): hxxps://www.curatedintel.org/2022/01/blackvue-dashcam-privacy-leaks-disclosed.html