BlackVue: Difference between revisions

Line 1:

{{#seo:

|description=BlackVue dashcam maker Pittasoft has faced repeated security and privacy incidents including GPS tracking leaks, unpatched firmware CVEs, and mandatory app registration.

}}

{{CompanyCargo

|Description=

|Description=Dashcam maker with unpatched firmware CVEs, GPS location leaks, and mandatory app registration that restricts local camera access

|Founded=2007

|Industry=Electronics

|Industry=Electronics,Automotive

|Logo=

|ParentCompany=

|Type=~~Public~~

|CompanyAlias=Pittasoft,Pittasoft Co. Ltd.

|Type=Private

|Website=https://blackvue.com/

}}

BlackVue is a ~~dash camera~~ brand ~~owned~~ by Pittasoft Co. Ltd.

'''BlackVue''' is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.<ref name="tracxn">{{Cite web |title=BlackVue Company Profile |url=https://tracxn.com/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |website=Tracxn |access-date=2026-03-28}}</ref> Since 2018, multiple independent security researchers have found that BlackVue's Cloud service broadcasts users' real-time GPS locations, live video feeds, & audio to anyone with a free account.<ref name="cybernews">{{Cite web |title=BlackVue dash cameras let you track other users; the company says it's a feature, not a bug |url=https://cybernews.com/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |website=CyberNews |first=Jurgita |last=Lapienytė |date=2022-01-12 |access-date=2026-03-28}}</ref> Seven CVEs across two product lines remain unpatched or were only acknowledged after public disclosure,<ref name="cve23-github">{{Cite web |title=BlackVue DR750 CVE |url=https://github.com/eyJhb/blackvue-cve-2023 |website=GitHub |access-date=2026-03-28}}</ref><ref name="cve25-github">{{Cite web |title=BlackVue Security Vulnerabilities |url=https://github.com/geo-chen/BlackVue |website=GitHub |access-date=2026-03-28}}</ref> and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally connected dashcam without an internet login.<ref name="blog-update">{{Cite web |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |website=BlackVue |date=2025-03-13 |access-date=2026-03-28 |url-status=live |archive-url=http://web.archive.org/web/20250911215829/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=2025-09-11}}</ref>

== Consumer-impact summary ==

* '''User privacy:''' BlackVue Cloud has broadcast users' GPS coordinates, live video, & audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug."<ref name="cybernews" />

* '''Device security:''' Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 & DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, & hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.<ref name="cve23-github" /><ref name="cve25-github" />

* '''User freedom:''' Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally connected dashcam. Non-login Wi-Fi Mode was removed.<ref name="blog-update" />

* '''Subscription lock-in:''' In early 2025, Pittasoft discontinued its "Free Forever" cloud tier & moved all cloud features to paid subscriptions, breaking a promise made to existing customers.<ref name="reddit-free">{{Cite web |title=BlackVue Still Advertising Their "Free Forever" Plan After Notifying All Existing Users BlackVue Cloud Services Will be Subscription Only Starting 02/2025 |url=https://www.reddit.com/r/Dashcam/comments/1htbl9d/blackvue_still_advertising_their_free_forever/ |website=Reddit r/Dashcam |date=2025-01-04 |access-date=2026-03-28}}</ref>

== Background ==

Pittasoft Co. Ltd. was founded on July 2, 2007, in Seoul, South Korea, by Hyunmin Hur.<ref name="tracxn" /><ref name="bv-sg">{{Cite web |title=About Us |url=https://www.blackvue.com.sg/about-us.html |website=BlackVue Singapore |access-date=2026-03-28}}</ref> The company initially focused on IP CCTV solutions before pivoting to dashboard cameras. The BlackVue brand launched in 2010 with the DR300, the company's first dashcam.<ref name="bv-sg" /> In 2015, Pittasoft introduced BlackVue Over the Cloud, a connected service that allows remote live viewing, GPS tracking, & push notifications through an internet-connected dashcam.<ref name="bv-sg" />

Pittasoft manufactures its dashcams in South Korea.<ref name="bv-sg" /> The company is privately held & has not raised institutional funding or executed an IPO.<ref name="tracxn" />

== Incidents ==

=== GPS location broadcasting ===

In October 2018, CSO Online reported that BlackVue dashcam owners were unknowingly broadcasting their real-time GPS coordinates, live video, & audio through BlackVue Cloud. The default cloud configuration when enabling the service opted users into public sharing without warning.<ref name="cso">{{Cite web |title=BlackVue dashcams share cars' mapped GPS locations, stream video feeds and audio |url=https://www.csoonline.com/article/566369/blackvue-dashcams-share-cars-mapped-gps-locations-stream-video-feeds-and-audio.html |website=CSO Online |first=Ms. |last=Smith |date=2018-10-02 |access-date=2026-03-28}}</ref>

Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app & wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.<ref name="vice">{{Cite web |title=This App Lets Us See Everywhere People Drive |url=https://www.vice.com/en/article/blackvue-dashcams-users-location-tracked/ |website=Vice/Motherboard |first=Joseph |last=Cox |date=2020-01-16 |access-date=2026-03-28}}</ref> The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, & Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" & claimed the company had updated security measures.<ref name="vice" />

The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app & registering an account (which required no email verification), anyone could view the GPS locations & live video feeds of connected dashcams.<ref name="cybernews" /> BlackVue responded that sharing is "opt-in only" & claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.<ref name="cybernews" /> BlackVue acknowledged that "some information might be misleading" & said it would change the wording but made no changes to the functionality.<ref name="cybernews" />

Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an email exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, & audio "a case of personal choice" & described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |first=Andy |last=Gill |date=2024-03-15 |access-date=2026-03-28}}</ref>

=== Firmware security vulnerabilities ===

==== DR750 (CVE-2023-27746, CVE-2023-27747, CVE-2023-27748) ====

In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.<ref name="cve23-github" /> The CVEs were published in the National Vulnerability Database on April 13, 2023:

* '''CVE-2023-27748''' (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.<ref name="cve-27748">{{Cite web |title=CVE-2023-27748 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |website=National Vulnerability Database |date=2023-04-13 |access-date=2026-03-28}}</ref>

* '''CVE-2023-27746''' (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.<ref name="cve-27746">{{Cite web |title=CVE-2023-27746 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |website=National Vulnerability Database |date=2023-04-13 |access-date=2026-03-28}}</ref>

* '''CVE-2023-27747''' (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, & retrieve device configurations.<ref name="cve-27747">{{Cite web |title=CVE-2023-27747 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |website=National Vulnerability Database |date=2023-04-13 |access-date=2026-03-28}}</ref>

At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.<ref name="cve23-github" /> No official patch has been released.<ref name="cve23-github" />

==== DR590X (CVE-2025-7075, CVE-2025-7076, CVE-2025-2355, CVE-2025-2356) ====

On February 25, 2025, researcher geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on February 26 & accepted the vulnerabilities on March 5, 2025.<ref name="cve25-github" />

* '''CVE-2025-7075''' (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.<ref name="cve-7075">{{Cite web |title=CVE-2025-7075 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |website=National Vulnerability Database |date=2025-07-05 |access-date=2026-03-28}}</ref>

* '''CVE-2025-7076''': The same upload mechanism allows modification of device configurations, including the ability to disable battery protection & drain the vehicle's battery.<ref name="cve25-github" />

* '''CVE-2025-2355''': The BlackVue v3.65 Android APK exposes both the BCS_TOKEN & SECRET_KEY in plaintext. API secrets are transmitted via GET parameters, exposing them in browser history & proxy logs.<ref name="cve25-github" />

* '''CVE-2025-2356''': Sensitive API endpoints allow unauthorized calls to change device settings, including deleting a device from an account.<ref name="cve25-github" />

=== Mandatory app registration ===

On March 13, 2025, Pittasoft announced that a BlackVue account would be required to use the companion app. The announcement stated that "Non-login Wi-Fi Mode will no longer be available," removing the ability to connect to a locally present dashcam without first creating an account & logging in over the internet.<ref name="blog-update" />

This was Pittasoft's second attempt to require mandatory registration. In March 2023, an app update required users to log in to access their dashcam. After user complaints on forums & app stores, BlackVue released version 3.42 on March 23, 2023, which added a Guest mode for direct Wi-Fi access without login.<ref name="dct-2023">{{Cite web |title=New Blackvue App 2023: HORRID |url=https://dashcamtalk.com/forum/threads/new-blackvue-app-2023-horrid.48614/ |website=DashCamTalk |date=2023-03-15 |access-date=2026-03-28}}</ref> In 2025, BlackVue removed that Guest mode.

Android app version 3.66 (released April 1, 2025) & iOS version 4.0 (released April 3, 2025) implemented the mandatory account requirement.<ref name="apk-366">{{Cite web |title=BlackVue 3.66 APK |url=https://www.apkmirror.com/apk/pittasoft/blackvue/blackvue-3-66-release/ |website=APKMirror |date=2025-04-01 |access-date=2026-03-28}}</ref> The app's changelog listed "BlackVue account now required" under "Important Changes." An offline mode allows local access after the initial login, but the first login requires an internet connection.<ref name="apk-366" />

==~~Consumer~~-~~impact summary~~==

The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.<ref name="apk-366" /> Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, & TikTok conversion tracking for advertising & analytics purposes.<ref name="privacy-policy">{{Cite web |title=BlackVue Privacy Policy |url=https://www.iubenda.com/privacy-policy/58407536/full-legal |website=Iubenda |date=2025-05-18 |access-date=2026-03-28}}</ref>

*User Freedom

On the Apple App Store, the app holds a 3.8 out of 5 rating from 2,197 reviews. Users reported that "App worked just fine for years PRIOR to their requiring you to have an account" & that "NOBODY needs or wants an account" to view local videos on cameras they already own.<ref name="appstore">{{Cite web |title=BlackVue on the App Store |url=https://apps.apple.com/us/app/blackvue/id1049209637 |website=Apple App Store |access-date=2026-03-28}}</ref>

*User Privacy

==~~Incidents~~==

=== Cloud subscription tier removal ===

==~~=Require Registration to Use Cameras (''March 13, 2025'')===~~

On March 13, 2025 BlackVue published a blog post<ref>{{Cite web |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |url-status=live |archive-url=http://web.archive.org/web/20250911215829/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=11 Sep 2025}}</ref> announcing that accounts, comprised of email and password registered with BlackVue, will be required to use the app. The app is required to perform firmware upgrades on the camera, as well as transfer videos without removing the SD card.

~~Last version~~ of the ~~Android app not requiring this is 3~~.~~65, version code 36500. Version 3.66 and up now requires registration~~.

In January 2025, Pittasoft notified existing BlackVue Cloud users that all cloud services would become subscription-only starting in February 2025, discontinuing a tier the company had previously marketed as "Free Forever."<ref name="reddit-free" /> Users reported that BlackVue was still advertising the "Free Forever" plan on its website while sending emails notifying customers of the change. One user reported the new subscription cost was $16 per month.<ref name="reddit-free" />

~~The app itself is reported to contain 6 trackers~~, ~~and requiring 43 permissions including fine permission as analyzed by Exodus Privacy~~<ref>{{Cite web |title=~~Exodus Privacy Analysis~~ |url=https://~~reports~~.~~exodus-privacy~~.~~eu.org~~/~~en/reports/comb.blackvuec/latest~~/ |~~url-status~~=~~live~~ |~~archive~~-~~url~~=~~http://web.archive.org/web/20250728153313/https://reports.exodus~~-~~privacy.eu.org/en/reports/comb.blackvuec/latest/ |archive~~-~~date=~~28 ~~Jul 2025~~}}</ref>

BlackVue Cloud features include remote live view, GPS tracking, two-way voice communication, live event upload, & cloud video backup.<ref name="cloud-store">{{Cite web |title=BlackVue Over the Cloud |url=https://www.thedashcamstore.com/blackvue-over-the-cloud/ |website=The Dashcam Store |access-date=2026-03-28}}</ref> The transition to paid-only access means owners of cloud-compatible dashcams who relied on the free tier lost remote access features they had been using since purchasing their hardware.

==Products==

== Products ==

*DR770X

BlackVue's current lineup includes:

==References==

* '''ELITE Series''' (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording & Sony STARVIS 2 sensors

* '''DR970X Series''': 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE

* '''DR770X Series''': Full HD at 60fps, available in 1-channel, 2-channel, & truck variants

* '''DR590X Series''': Entry-level line

* '''BOX Series''': Tamper-proof recording unit separate from camera lenses

== See also ==

* [[Planned obsolescence]]

* [[Subscription lock-in]]

== References ==

[[Category:~~{{PAGENAME}}~~]]

<!-- INCIDENT SEVERITY SCORES (for pipeline orchestration, not displayed)

INCIDENT_SCORE: GPS location broadcasting | 72/100 | Six years of documented privacy exposure across multiple independent investigations (Vice, CyberNews, CSO Online, ZephrSec). Company acknowledged but refused to change default behavior. Affected users globally. No regulatory action found.

INCIDENT_SCORE: Firmware security vulnerabilities | 68/100 | Seven CVEs across two product lines (DR750, DR590X), two rated CVSS 9.8 Critical, two rated CVSS 8.8 High. DR750 vulnerabilities reported in 2022 remain unpatched. DR590X acknowledged but fix status unclear. Approximately 300 vulnerable devices found online. No regulatory action.

INCIDENT_SCORE: Mandatory app registration | 52/100 | Retroactive functional restriction on purchased hardware. Second attempt after first was reversed in 2023. Documented community backlash across Reddit, DashCamTalk, and app stores. No legal action. Offline mode available after initial login partially mitigates impact.

INCIDENT_SCORE: Cloud subscription tier removal | 40/100 | Documented bait-and-switch from "Free Forever" to paid. Affected existing customers. Community complaints on Reddit. No legal action or regulatory response found.

-->

[[Category:BlackVue]]

[[Category:Privacy]]

[[Category:Dashcams]]

@@ Line 1: / Line 1: @@
-{{Incomplete}}
+{{#seo:
+|description=BlackVue dashcam maker Pittasoft has faced repeated security and privacy incidents including GPS tracking leaks, unpatched firmware CVEs, and mandatory app registration.
+}}
 {{CompanyCargo
-|Description=
+|Description=Dashcam maker with unpatched firmware CVEs, GPS location leaks, and mandatory app registration that restricts local camera access
 |Founded=2007
-|Industry=Electronics
+|Industry=Electronics,Automotive
 |Logo=
 |ParentCompany=
-|Type=Public
+|CompanyAlias=Pittasoft,Pittasoft Co. Ltd.
+|Type=Private
 |Website=https://blackvue.com/
 }}
-BlackVue is a dash camera brand owned by Pittasoft Co. Ltd.
+'''BlackVue''' is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.<ref name="tracxn">{{Cite web |title=BlackVue Company Profile |url=https://tracxn.com/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |website=Tracxn |access-date=2026-03-28}}</ref> Since 2018, multiple independent security researchers have found that BlackVue's Cloud service broadcasts users' real-time GPS locations, live video feeds, & audio to anyone with a free account.<ref name="cybernews">{{Cite web |title=BlackVue dash cameras let you track other users; the company says it's a feature, not a bug |url=https://cybernews.com/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |website=CyberNews |first=Jurgita |last=Lapienytė |date=2022-01-12 |access-date=2026-03-28}}</ref> Seven CVEs across two product lines remain unpatched or were only acknowledged after public disclosure,<ref name="cve23-github">{{Cite web |title=BlackVue DR750 CVE |url=https://github.com/eyJhb/blackvue-cve-2023 |website=GitHub |access-date=2026-03-28}}</ref><ref name="cve25-github">{{Cite web |title=BlackVue Security Vulnerabilities |url=https://github.com/geo-chen/BlackVue |website=GitHub |access-date=2026-03-28}}</ref> and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally connected dashcam without an internet login.<ref name="blog-update">{{Cite web |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |website=BlackVue |date=2025-03-13 |access-date=2026-03-28 |url-status=live |archive-url=http://web.archive.org/web/20250911215829/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=2025-09-11}}</ref>
+== Consumer-impact summary ==
+* '''User privacy:''' BlackVue Cloud has broadcast users' GPS coordinates, live video, & audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug."<ref name="cybernews" />
+* '''Device security:''' Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 & DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, & hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.<ref name="cve23-github" /><ref name="cve25-github" />
+* '''User freedom:''' Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally connected dashcam. Non-login Wi-Fi Mode was removed.<ref name="blog-update" />
+* '''Subscription lock-in:''' In early 2025, Pittasoft discontinued its "Free Forever" cloud tier & moved all cloud features to paid subscriptions, breaking a promise made to existing customers.<ref name="reddit-free">{{Cite web |title=BlackVue Still Advertising Their "Free Forever" Plan After Notifying All Existing Users BlackVue Cloud Services Will be Subscription Only Starting 02/2025 |url=https://www.reddit.com/r/Dashcam/comments/1htbl9d/blackvue_still_advertising_their_free_forever/ |website=Reddit r/Dashcam |date=2025-01-04 |access-date=2026-03-28}}</ref>
+== Background ==
+Pittasoft Co. Ltd. was founded on July 2, 2007, in Seoul, South Korea, by Hyunmin Hur.<ref name="tracxn" /><ref name="bv-sg">{{Cite web |title=About Us |url=https://www.blackvue.com.sg/about-us.html |website=BlackVue Singapore |access-date=2026-03-28}}</ref> The company initially focused on IP CCTV solutions before pivoting to dashboard cameras. The BlackVue brand launched in 2010 with the DR300, the company's first dashcam.<ref name="bv-sg" /> In 2015, Pittasoft introduced BlackVue Over the Cloud, a connected service that allows remote live viewing, GPS tracking, & push notifications through an internet-connected dashcam.<ref name="bv-sg" />
+Pittasoft manufactures its dashcams in South Korea.<ref name="bv-sg" /> The company is privately held & has not raised institutional funding or executed an IPO.<ref name="tracxn" />
+== Incidents ==
+=== GPS location broadcasting ===
+{{Main|BlackVue GPS location broadcasting}}
+In October 2018, CSO Online reported that BlackVue dashcam owners were unknowingly broadcasting their real-time GPS coordinates, live video, & audio through BlackVue Cloud. The default cloud configuration when enabling the service opted users into public sharing without warning.<ref name="cso">{{Cite web |title=BlackVue dashcams share cars' mapped GPS locations, stream video feeds and audio |url=https://www.csoonline.com/article/566369/blackvue-dashcams-share-cars-mapped-gps-locations-stream-video-feeds-and-audio.html |website=CSO Online |first=Ms. |last=Smith |date=2018-10-02 |access-date=2026-03-28}}</ref>
+Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app & wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.<ref name="vice">{{Cite web |title=This App Lets Us See Everywhere People Drive |url=https://www.vice.com/en/article/blackvue-dashcams-users-location-tracked/ |website=Vice/Motherboard |first=Joseph |last=Cox |date=2020-01-16 |access-date=2026-03-28}}</ref> The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, & Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" & claimed the company had updated security measures.<ref name="vice" />
+The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app & registering an account (which required no email verification), anyone could view the GPS locations & live video feeds of connected dashcams.<ref name="cybernews" /> BlackVue responded that sharing is "opt-in only" & claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.<ref name="cybernews" /> BlackVue acknowledged that "some information might be misleading" & said it would change the wording but made no changes to the functionality.<ref name="cybernews" />
+Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an email exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, & audio "a case of personal choice" & described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |first=Andy |last=Gill |date=2024-03-15 |access-date=2026-03-28}}</ref>
+=== Firmware security vulnerabilities ===
+==== DR750 (CVE-2023-27746, CVE-2023-27747, CVE-2023-27748) ====
+In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.<ref name="cve23-github" /> The CVEs were published in the National Vulnerability Database on April 13, 2023:
+* '''CVE-2023-27748''' (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.<ref name="cve-27748">{{Cite web |title=CVE-2023-27748 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |website=National Vulnerability Database |date=2023-04-13 |access-date=2026-03-28}}</ref>
+* '''CVE-2023-27746''' (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.<ref name="cve-27746">{{Cite web |title=CVE-2023-27746 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |website=National Vulnerability Database |date=2023-04-13 |access-date=2026-03-28}}</ref>
+* '''CVE-2023-27747''' (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, & retrieve device configurations.<ref name="cve-27747">{{Cite web |title=CVE-2023-27747 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |website=National Vulnerability Database |date=2023-04-13 |access-date=2026-03-28}}</ref>
+At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.<ref name="cve23-github" /> No official patch has been released.<ref name="cve23-github" />
+==== DR590X (CVE-2025-7075, CVE-2025-7076, CVE-2025-2355, CVE-2025-2356) ====
+On February 25, 2025, researcher geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on February 26 & accepted the vulnerabilities on March 5, 2025.<ref name="cve25-github" />
+* '''CVE-2025-7075''' (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.<ref name="cve-7075">{{Cite web |title=CVE-2025-7075 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |website=National Vulnerability Database |date=2025-07-05 |access-date=2026-03-28}}</ref>
+* '''CVE-2025-7076''': The same upload mechanism allows modification of device configurations, including the ability to disable battery protection & drain the vehicle's battery.<ref name="cve25-github" />
+* '''CVE-2025-2355''': The BlackVue v3.65 Android APK exposes both the BCS_TOKEN & SECRET_KEY in plaintext. API secrets are transmitted via GET parameters, exposing them in browser history & proxy logs.<ref name="cve25-github" />
+* '''CVE-2025-2356''': Sensitive API endpoints allow unauthorized calls to change device settings, including deleting a device from an account.<ref name="cve25-github" />
+=== Mandatory app registration ===
+{{Main|BlackVue mandatory app registration}}
+On March 13, 2025, Pittasoft announced that a BlackVue account would be required to use the companion app. The announcement stated that "Non-login Wi-Fi Mode will no longer be available," removing the ability to connect to a locally present dashcam without first creating an account & logging in over the internet.<ref name="blog-update" />
+This was Pittasoft's second attempt to require mandatory registration. In March 2023, an app update required users to log in to access their dashcam. After user complaints on forums & app stores, BlackVue released version 3.42 on March 23, 2023, which added a Guest mode for direct Wi-Fi access without login.<ref name="dct-2023">{{Cite web |title=New Blackvue App 2023: HORRID |url=https://dashcamtalk.com/forum/threads/new-blackvue-app-2023-horrid.48614/ |website=DashCamTalk |date=2023-03-15 |access-date=2026-03-28}}</ref> In 2025, BlackVue removed that Guest mode.
+Android app version 3.66 (released April 1, 2025) & iOS version 4.0 (released April 3, 2025) implemented the mandatory account requirement.<ref name="apk-366">{{Cite web |title=BlackVue 3.66 APK |url=https://www.apkmirror.com/apk/pittasoft/blackvue/blackvue-3-66-release/ |website=APKMirror |date=2025-04-01 |access-date=2026-03-28}}</ref> The app's changelog listed "BlackVue account now required" under "Important Changes." An offline mode allows local access after the initial login, but the first login requires an internet connection.<ref name="apk-366" />
-==Consumer-impact summary==
+The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.<ref name="apk-366" /> Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, & TikTok conversion tracking for advertising & analytics purposes.<ref name="privacy-policy">{{Cite web |title=BlackVue Privacy Policy |url=https://www.iubenda.com/privacy-policy/58407536/full-legal |website=Iubenda |date=2025-05-18 |access-date=2026-03-28}}</ref>
-*User Freedom
+On the Apple App Store, the app holds a 3.8 out of 5 rating from 2,197 reviews. Users reported that "App worked just fine for years PRIOR to their requiring you to have an account" & that "NOBODY needs or wants an account" to view local videos on cameras they already own.<ref name="appstore">{{Cite web |title=BlackVue on the App Store |url=https://apps.apple.com/us/app/blackvue/id1049209637 |website=Apple App Store |access-date=2026-03-28}}</ref>
-*User Privacy
-==Incidents==
+=== Cloud subscription tier removal ===
-===Require Registration to Use Cameras (''March 13, 2025'')===
-On March 13, 2025 BlackVue published a blog post<ref>{{Cite web |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |url-status=live |archive-url=http://web.archive.org/web/20250911215829/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=11 Sep 2025}}</ref> announcing that accounts, comprised of email and password registered with BlackVue, will be required to use the app.  The app is required to perform firmware upgrades on the camera, as well as transfer videos without removing the SD card.
-Last version of the Android app not requiring this is 3.65, version code 36500.  Version 3.66 and up now requires registration.
+In January 2025, Pittasoft notified existing BlackVue Cloud users that all cloud services would become subscription-only starting in February 2025, discontinuing a tier the company had previously marketed as "Free Forever."<ref name="reddit-free" /> Users reported that BlackVue was still advertising the "Free Forever" plan on its website while sending emails notifying customers of the change. One user reported the new subscription cost was $16 per month.<ref name="reddit-free" />
-The app itself is reported to contain 6 trackers, and requiring 43 permissions including fine permission as analyzed by Exodus Privacy<ref>{{Cite web |title=Exodus Privacy Analysis |url=https://reports.exodus-privacy.eu.org/en/reports/comb.blackvuec/latest/ |url-status=live |archive-url=http://web.archive.org/web/20250728153313/https://reports.exodus-privacy.eu.org/en/reports/comb.blackvuec/latest/ |archive-date=28 Jul 2025}}</ref>
+BlackVue Cloud features include remote live view, GPS tracking, two-way voice communication, live event upload, & cloud video backup.<ref name="cloud-store">{{Cite web |title=BlackVue Over the Cloud |url=https://www.thedashcamstore.com/blackvue-over-the-cloud/ |website=The Dashcam Store |access-date=2026-03-28}}</ref> The transition to paid-only access means owners of cloud-compatible dashcams who relied on the free tier lost remote access features they had been using since purchasing their hardware.
-==Products==
+== Products ==
-*DR770X
+BlackVue's current lineup includes:
-==References==
+* '''ELITE Series''' (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording & Sony STARVIS 2 sensors
+* '''DR970X Series''': 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE
+* '''DR770X Series''': Full HD at 60fps, available in 1-channel, 2-channel, & truck variants
+* '''DR590X Series''': Entry-level line
+* '''BOX Series''': Tamper-proof recording unit separate from camera lenses
+== See also ==
+* [[Planned obsolescence]]
+* [[Subscription lock-in]]
+== References ==
 {{reflist}}
-[[Category:{{PAGENAME}}]]
+<!-- INCIDENT SEVERITY SCORES (for pipeline orchestration, not displayed)
+INCIDENT_SCORE: GPS location broadcasting | 72/100 | Six years of documented privacy exposure across multiple independent investigations (Vice, CyberNews, CSO Online, ZephrSec). Company acknowledged but refused to change default behavior. Affected users globally. No regulatory action found.
+INCIDENT_SCORE: Firmware security vulnerabilities | 68/100 | Seven CVEs across two product lines (DR750, DR590X), two rated CVSS 9.8 Critical, two rated CVSS 8.8 High. DR750 vulnerabilities reported in 2022 remain unpatched. DR590X acknowledged but fix status unclear. Approximately 300 vulnerable devices found online. No regulatory action.
+INCIDENT_SCORE: Mandatory app registration | 52/100 | Retroactive functional restriction on purchased hardware. Second attempt after first was reversed in 2023. Documented community backlash across Reddit, DashCamTalk, and app stores. No legal action. Offline mode available after initial login partially mitigates impact.
+INCIDENT_SCORE: Cloud subscription tier removal | 40/100 | Documented bait-and-switch from "Free Forever" to paid. Affected existing customers. Community complaints on Reddit. No legal action or regulatory response found.
+-->
+[[Category:BlackVue]]
+[[Category:Privacy]]
+[[Category:Dashcams]]