BlackVue: Difference between revisions
Add June 2026 Nine News investigation and Tech Guide follow-up to the GPS location broadcasting incident covering BlackVue Australia's contradicted "private by default" claim, and the subsequent removal of the live-broadcast feature. Includes updates to the lead paragraph and impact summary, addition of new sub-section to GPS location broadcasting incidents, and addition of references 6-8. |
m Changed "BlackVue's Australian distributor" to "BlackVue Australia" throughout the article |
||
| Line 13: | Line 13: | ||
}} | }} | ||
'''BlackVue''' is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.<ref name="tracxn">{{Cite web |author= |title=BlackVue Company Profile |url=https://tracxn.com/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |website=Tracxn |date=1 Mar 2026 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1242-51/https://tracxn.com:443/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |archive-date=20 Apr 2025}}</ref> Since 2018, multiple independent security researchers have found that BlackVue's cloud service broadcasts users' real-time GPS locations, live video feeds, and audio to anyone with a free account.<ref name="cybernews">{{Cite web |last=Lapienytė |first=Jurgita |title=BlackVue dash cameras let you track other users; the company says it's a feature, not a bug |url=https://cybernews.com/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |website=CyberNews |date=12 Jan 2022 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1249-07/https://cybernews.com:443/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |archive-date=20 Apr 2026}}</ref> Seven CVEs across two product lines remain un-patched or were only acknowledged after public disclosure,<ref name="cve23-github">{{Cite web |author=eyJhb |title=BlackVue DR750 CVE |url=https://github.com/eyJhb/blackvue-cve-2023 |website=[[GitHub]] |date=12 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20230505111212/https://github.com/eyJhb/blackvue-cve-2023 |archive-date=5 May 2023}}</ref><ref name="cve25-github">{{Cite web |author=geo-chen |title=BlackVue Security Vulnerabilities |url=https://github.com/geo-chen/BlackVue |website=[[GitHub]] |date=6 Jul 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420035635/https://github.com/geo-chen/BlackVue |archive-date=20 Apr 2026}}</ref> and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally-connected dashcam without an internet login.<ref name="blog-update">{{Cite web |author= |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |website=BlackVue |date=13 Mar 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250728153154/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=28 Jul 2025}}</ref> In June 2026, Australian outlet Nine News found that BlackVue dashcams used in Australia were still broadcasting users' location, video, and audio by default, which BlackVue | '''BlackVue''' is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.<ref name="tracxn">{{Cite web |author= |title=BlackVue Company Profile |url=https://tracxn.com/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |website=Tracxn |date=1 Mar 2026 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1242-51/https://tracxn.com:443/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |archive-date=20 Apr 2025}}</ref> Since 2018, multiple independent security researchers have found that BlackVue's cloud service broadcasts users' real-time GPS locations, live video feeds, and audio to anyone with a free account.<ref name="cybernews">{{Cite web |last=Lapienytė |first=Jurgita |title=BlackVue dash cameras let you track other users; the company says it's a feature, not a bug |url=https://cybernews.com/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |website=CyberNews |date=12 Jan 2022 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1249-07/https://cybernews.com:443/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |archive-date=20 Apr 2026}}</ref> Seven CVEs across two product lines remain un-patched or were only acknowledged after public disclosure,<ref name="cve23-github">{{Cite web |author=eyJhb |title=BlackVue DR750 CVE |url=https://github.com/eyJhb/blackvue-cve-2023 |website=[[GitHub]] |date=12 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20230505111212/https://github.com/eyJhb/blackvue-cve-2023 |archive-date=5 May 2023}}</ref><ref name="cve25-github">{{Cite web |author=geo-chen |title=BlackVue Security Vulnerabilities |url=https://github.com/geo-chen/BlackVue |website=[[GitHub]] |date=6 Jul 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420035635/https://github.com/geo-chen/BlackVue |archive-date=20 Apr 2026}}</ref> and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally-connected dashcam without an internet login.<ref name="blog-update">{{Cite web |author= |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |website=BlackVue |date=13 Mar 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250728153154/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=28 Jul 2025}}</ref> In June 2026, Australian outlet Nine News found that BlackVue dashcams used in Australia were still broadcasting users' location, video, and audio by default, which BlackVue Australia dismissed as "sensationalist and inaccurate."<ref name=":0">{{Cite web |last=Marshall |first=Sally |date=22 Jun 2026 |title=Fears Australian dashcam company could be putting customers' privacy at risk |url=https://www.nine.com.au/australia-news/fears-australian-dashcam-company-could-be-putting-customers-privacy-at-risk-20260622-p60942.html |url-status=live |archive-url=http://web.archive.org/web/20260630065709/https://www.nine.com.au/australia-news/fears-australian-dashcam-company-could-be-putting-customers-privacy-at-risk-20260622-p60942.html |archive-date=30 Jun 2026 |access-date=30 Jun 2026 |website=Nine News Australia}}</ref> Days later, after the BlackVue Australia's own privacy-settings blog post was contradicted by further independent testing, it removed the live-broadcast feature from the app entirely.<ref name=":1">{{Cite web |first= |date=23 Jun 2026 |title=BlackVue Cloud privacy settings |url=https://www.blackvue.com.au/news/blackvue-cloud-privacy-settings/ |url-status=live |archive-url=http://web.archive.org/web/20260630065820/https://www.blackvue.com.au/news/blackvue-cloud-privacy-settings/ |archive-date=30 Jun 2026 |access-date=30 Jun 2026 |website=BlackVue Australia}}</ref><ref name=":2">{{Cite web |last=Fenech |first=Stephen |date=26 Jun 2026 |title=BlackVue removes dashcam feature that allowed you to view location and live streams of other users |url=https://www.techguide.com.au/news-old/blackvue-removes-dashcam-feature-that-allowed-you-to-view-location-and-live-streams-of-other-users/ |url-status=live |archive-url=http://web.archive.org/web/20260630065844/https://www.techguide.com.au/news-old/blackvue-removes-dashcam-feature-that-allowed-you-to-view-location-and-live-streams-of-other-users/ |archive-date=30 Jun 2026 |access-date=30 Jun 2026 |website=Tech Guide}}</ref> | ||
==Consumer impact summary== | ==Consumer impact summary== | ||
*'''User privacy:''' BlackVue Cloud has broadcast users' GPS coordinates, live video, and audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug"<ref name="cybernews" /> in 2022 and dismissed Australian media reporting on the issue as "sensationalist and inaccurate"<ref name=":0" /> in 2026, before its | *'''User privacy:''' BlackVue Cloud has broadcast users' GPS coordinates, live video, and audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug"<ref name="cybernews" /> in 2022 and dismissed Australian media reporting on the issue as "sensationalist and inaccurate"<ref name=":0" /> in 2026, before its BlackVue Australia removed the broadcast feature entirely.<ref name=":2" /> | ||
*'''Device security:''' Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 and DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.<ref name="cve23-github" /><ref name="cve25-github" /> | *'''Device security:''' Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 and DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.<ref name="cve23-github" /><ref name="cve25-github" /> | ||
*'''User freedom:''' Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally-connected dashcam. Non-login Wi-Fi Mode was removed.<ref name="blog-update" /> | *'''User freedom:''' Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally-connected dashcam. Non-login Wi-Fi Mode was removed.<ref name="blog-update" /> | ||
| Line 40: | Line 40: | ||
Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an e-mail exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, and audio "a case of personal choice" and described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |last=Gill |first=Andy |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |date=15 Mar 2024 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20240406204709/https://blog.zsec.uk/blackvue-privacy/ |archive-date=6 Apr 2024}}</ref> | Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an e-mail exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, and audio "a case of personal choice" and described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |last=Gill |first=Andy |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |date=15 Mar 2024 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20240406204709/https://blog.zsec.uk/blackvue-privacy/ |archive-date=6 Apr 2024}}</ref> | ||
On 22 June 2026, Nine News Australia reported that an Australian BlackVue customer could view the real-time location, live video, and in-car audio of other BlackVue users worldwide through a map feature in the app, without those users' apparent knowledge. Nine technology commentator Trevor Long called it "one of the biggest privacy or security concerns" he had seen, estimating only "one per cent of people" using the feature realised it was public. BlackVue | On 22 June 2026, Nine News Australia reported that an Australian BlackVue customer could view the real-time location, live video, and in-car audio of other BlackVue users worldwide through a map feature in the app, without those users' apparent knowledge. Nine technology commentator Trevor Long called it "one of the biggest privacy or security concerns" he had seen, estimating only "one per cent of people" using the feature realised it was public. BlackVue Australia told Nine it was compliant with Australia's Cyber Security Act and called the report "sensationalist and inaccurate."<ref name=":0" /> The next day, BlackVue Australia published a blog post claiming footage was "private by default, full stop," contradicting both the Nine News demonstration and the company's 2022 and 2024 statements described above.<ref name=":1" /> On 26 June 2026, Tech Guide reported it had independently verified the issue in Australia, New Zealand, and the United States; BlackVue then removed Australian cameras from public view and said it was working with "the manufacturer" to eliminate the live-broadcast feature entirely.<ref name=":2" /> | ||
===Firmware security vulnerabilities=== | ===Firmware security vulnerabilities=== | ||