Jump to content

BlackVue: Difference between revisions

From Consumer Rights Wiki
← Older editNewer edit →
VisualWikitext
Dawsman (talk | contribs)
2 edits
Add June 2026 Nine News investigation and Tech Guide follow-up to the GPS location broadcasting incident covering BlackVue Australia's contradicted "private by default" claim, and the subsequent removal of the live-broadcast feature. Includes updates to the lead paragraph and impact summary, addition of new sub-section to GPS location broadcasting incidents, and addition of references 6-8.
Line 13: Line 13:
}}
}}


'''BlackVue''' is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.<ref name="tracxn">{{Cite web |author= |title=BlackVue Company Profile |url=https://tracxn.com/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |website=Tracxn |date=1 Mar 2026 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1242-51/https://tracxn.com:443/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |archive-date=20 Apr 2025}}</ref> Since 2018, multiple independent security researchers have found that BlackVue's cloud service broadcasts users' real-time GPS locations, live video feeds, and audio to anyone with a free account.<ref name="cybernews">{{Cite web |last=Lapienytė |first=Jurgita |title=BlackVue dash cameras let you track other users; the company says it's a feature, not a bug |url=https://cybernews.com/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |website=CyberNews |date=12 Jan 2022 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1249-07/https://cybernews.com:443/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |archive-date=20 Apr 2026}}</ref> Seven CVEs across two product lines remain un-patched or were only acknowledged after public disclosure,<ref name="cve23-github">{{Cite web |author=eyJhb |title=BlackVue DR750 CVE |url=https://github.com/eyJhb/blackvue-cve-2023 |website=[[GitHub]] |date=12 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20230505111212/https://github.com/eyJhb/blackvue-cve-2023 |archive-date=5 May 2023}}</ref><ref name="cve25-github">{{Cite web |author=geo-chen |title=BlackVue Security Vulnerabilities |url=https://github.com/geo-chen/BlackVue |website=[[GitHub]] |date=6 Jul 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420035635/https://github.com/geo-chen/BlackVue |archive-date=20 Apr 2026}}</ref> and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally-connected dashcam without an internet login.<ref name="blog-update">{{Cite web |author= |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |website=BlackVue |date=13 Mar 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250728153154/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=28 Jul 2025}}</ref>
'''BlackVue''' is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.<ref name="tracxn">{{Cite web |author= |title=BlackVue Company Profile |url=https://tracxn.com/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |website=Tracxn |date=1 Mar 2026 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1242-51/https://tracxn.com:443/d/companies/blackvue/__sULi2NdAYMOKiZUnzCUB0a00DsfdWttUdzb7nzIMFaw |archive-date=20 Apr 2025}}</ref> Since 2018, multiple independent security researchers have found that BlackVue's cloud service broadcasts users' real-time GPS locations, live video feeds, and audio to anyone with a free account.<ref name="cybernews">{{Cite web |last=Lapienytė |first=Jurgita |title=BlackVue dash cameras let you track other users; the company says it's a feature, not a bug |url=https://cybernews.com/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |website=CyberNews |date=12 Jan 2022 |access-date=19 Apr 2026 |url-status=live |archive-url=https://megalodon.jp/2026-0420-1249-07/https://cybernews.com:443/privacy/blackvue-dash-cameras-let-you-track-other-users-the-company-says-its-a-feature-not-a-bug/ |archive-date=20 Apr 2026}}</ref> Seven CVEs across two product lines remain un-patched or were only acknowledged after public disclosure,<ref name="cve23-github">{{Cite web |author=eyJhb |title=BlackVue DR750 CVE |url=https://github.com/eyJhb/blackvue-cve-2023 |website=[[GitHub]] |date=12 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20230505111212/https://github.com/eyJhb/blackvue-cve-2023 |archive-date=5 May 2023}}</ref><ref name="cve25-github">{{Cite web |author=geo-chen |title=BlackVue Security Vulnerabilities |url=https://github.com/geo-chen/BlackVue |website=[[GitHub]] |date=6 Jul 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420035635/https://github.com/geo-chen/BlackVue |archive-date=20 Apr 2026}}</ref> and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally-connected dashcam without an internet login.<ref name="blog-update">{{Cite web |author= |title=Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More |url=https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |website=BlackVue |date=13 Mar 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250728153154/https://media.blackvue.com/discover-the-latest-blackvue-app-update-enhanced-ui-new-features-and-more/ |archive-date=28 Jul 2025}}</ref> In June 2026, Australian outlet Nine News found that BlackVue dashcams used in Australia were still broadcasting users' location, video, and audio by default, which BlackVue's Australian distributor dismissed as "sensationalist and inaccurate."<ref name=":0">{{Cite web |last=Marshall |first=Sally |date=22 Jun 2026 |title=Fears Australian dashcam company could be putting customers' privacy at risk |url=https://www.nine.com.au/australia-news/fears-australian-dashcam-company-could-be-putting-customers-privacy-at-risk-20260622-p60942.html |url-status=live |archive-url=http://web.archive.org/web/20260630065709/https://www.nine.com.au/australia-news/fears-australian-dashcam-company-could-be-putting-customers-privacy-at-risk-20260622-p60942.html |archive-date=30 Jun 2026 |access-date=30 Jun 2026 |website=Nine News Australia}}</ref> Days later, after the distributor's own privacy-settings blog post was contradicted by further independent testing, it removed the live-broadcast feature from the app entirely.<ref name=":1">{{Cite web |first= |date=23 Jun 2026 |title=BlackVue Cloud privacy settings |url=https://www.blackvue.com.au/news/blackvue-cloud-privacy-settings/ |url-status=live |archive-url=http://web.archive.org/web/20260630065820/https://www.blackvue.com.au/news/blackvue-cloud-privacy-settings/ |archive-date=30 Jun 2026 |access-date=30 Jun 2026 |website=BlackVue Australia}}</ref><ref name=":2">{{Cite web |last=Fenech |first=Stephen |date=26 Jun 2026 |title=BlackVue removes dashcam feature that allowed you to view location and live streams of other users |url=https://www.techguide.com.au/news-old/blackvue-removes-dashcam-feature-that-allowed-you-to-view-location-and-live-streams-of-other-users/ |url-status=live |archive-url=http://web.archive.org/web/20260630065844/https://www.techguide.com.au/news-old/blackvue-removes-dashcam-feature-that-allowed-you-to-view-location-and-live-streams-of-other-users/ |archive-date=30 Jun 2026 |access-date=30 Jun 2026 |website=Tech Guide}}</ref>


==Consumer impact summary==
==Consumer impact summary==
* '''User privacy:''' BlackVue Cloud has broadcast users' GPS coordinates, live video, and audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug."<ref name="cybernews" />
*'''User privacy:''' BlackVue Cloud has broadcast users' GPS coordinates, live video, and audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug"<ref name="cybernews" /> in 2022 and dismissed Australian media reporting on the issue as "sensationalist and inaccurate"<ref name=":0" /> in 2026, before its Australian distributor removed the broadcast feature entirely.<ref name=":2" />
* '''Device security:''' Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 and DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.<ref name="cve23-github" /><ref name="cve25-github" />
*'''Device security:''' Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 and DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.<ref name="cve23-github" /><ref name="cve25-github" />
* '''User freedom:''' Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally-connected dashcam. Non-login Wi-Fi Mode was removed.<ref name="blog-update" />
*'''User freedom:''' Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally-connected dashcam. Non-login Wi-Fi Mode was removed.<ref name="blog-update" />
* '''Subscription lock-in:''' In early 2025, Pittasoft discontinued its "Free Forever" cloud tier and moved all cloud features to paid subscriptions, breaking a promise made to existing customers.<ref name="reddit-free">{{Cite web |author=z_Elektrisk_z |title=BlackVue Still Advertising Their "Free Forever" Plan After Notifying All Existing Users BlackVue Cloud Services Will be Subscription Only Starting 02/2025 |url=https://old.reddit.com/r/Dashcam/comments/1htbl9d/blackvue_still_advertising_their_free_forever/ |website=[[Reddit]] |date=4 Jan 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420040912/https://old.reddit.com/r/Dashcam/comments/1htbl9d/blackvue_still_advertising_their_free_forever/ |archive-date=20 Apr 2026}}</ref>
*'''Subscription lock-in:''' In early 2025, Pittasoft discontinued its "Free Forever" cloud tier and moved all cloud features to paid subscriptions, breaking a promise made to existing customers.<ref name="reddit-free">{{Cite web |author=z_Elektrisk_z |title=BlackVue Still Advertising Their "Free Forever" Plan After Notifying All Existing Users BlackVue Cloud Services Will be Subscription Only Starting 02/2025 |url=https://old.reddit.com/r/Dashcam/comments/1htbl9d/blackvue_still_advertising_their_free_forever/ |website=[[Reddit]] |date=4 Jan 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420040912/https://old.reddit.com/r/Dashcam/comments/1htbl9d/blackvue_still_advertising_their_free_forever/ |archive-date=20 Apr 2026}}</ref>


==Background==
==Background==
Line 39: Line 39:


Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an e-mail exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, and audio "a case of personal choice" and described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |last=Gill |first=Andy |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |date=15 Mar 2024 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20240406204709/https://blog.zsec.uk/blackvue-privacy/ |archive-date=6 Apr 2024}}</ref>
Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an e-mail exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, and audio "a case of personal choice" and described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |last=Gill |first=Andy |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |date=15 Mar 2024 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20240406204709/https://blog.zsec.uk/blackvue-privacy/ |archive-date=6 Apr 2024}}</ref>
On 22 June 2026, Nine News Australia reported that an Australian BlackVue customer could view the real-time location, live video, and in-car audio of other BlackVue users worldwide through a map feature in the app, without those users' apparent knowledge. Nine technology commentator Trevor Long called it "one of the biggest privacy or security concerns" he had seen, estimating only "one per cent of people" using the feature realised it was public. BlackVue's Australian distributor told Nine it was compliant with Australia's Cyber Security Act and called the report "sensationalist and inaccurate."<ref name=":0" /> The next day, BlackVue Australia published a blog post claiming footage was "private by default, full stop," contradicting both the Nine News demonstration and the company's 2022 and 2024 statements described above.<ref name=":1" /> On 26 June 2026, Tech Guide reported it had independently verified the issue in Australia, New Zealand, and the United States; BlackVue then removed Australian cameras from public view and said it was working with "the manufacturer" to eliminate the live-broadcast feature entirely.<ref name=":2" />


===Firmware security vulnerabilities===
===Firmware security vulnerabilities===
Line 44: Line 46:
In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.<ref name="cve23-github" /> The CVEs were published in the National Vulnerability Database on 13 April 2023:
In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.<ref name="cve23-github" /> The CVEs were published in the National Vulnerability Database on 13 April 2023:


* '''CVE-2023-27748''' (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.<ref name="cve-27748">{{Cite web |author= |title=CVE-2023-27748 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |website=National Vulnerability Database |date=13 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250218191058/https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |archive-date=18 Feb 2025}}</ref>
*'''CVE-2023-27748''' (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.<ref name="cve-27748">{{Cite web |author= |title=CVE-2023-27748 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |website=National Vulnerability Database |date=13 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250218191058/https://nvd.nist.gov/vuln/detail/CVE-2023-27748 |archive-date=18 Feb 2025}}</ref>
* '''CVE-2023-27746''' (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.<ref name="cve-27746">{{Cite web |author=
*'''CVE-2023-27746''' (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.<ref name="cve-27746">{{Cite web |author=
|title=CVE-2023-27746 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |website=National Vulnerability Database |date=13 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250218191058/https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |archive-date=18 Feb 2025}}</ref>
|title=CVE-2023-27746 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |website=National Vulnerability Database |date=13 Apr 2023 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250218191058/https://nvd.nist.gov/vuln/detail/CVE-2023-27746 |archive-date=18 Feb 2025}}</ref>
* '''CVE-2023-27747''' (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, and retrieve device configurations.<ref name="cve-27747">{{Cite web |author= |title=CVE-2023-27747 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |website=National Vulnerability Database |date=13 Apr 2026 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250218191105/https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |archive-date=18 Feb 2025}}</ref>
*'''CVE-2023-27747''' (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, and retrieve device configurations.<ref name="cve-27747">{{Cite web |author= |title=CVE-2023-27747 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |website=National Vulnerability Database |date=13 Apr 2026 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20250218191105/https://nvd.nist.gov/vuln/detail/CVE-2023-27747 |archive-date=18 Feb 2025}}</ref>


At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.<ref name="cve23-github" /> No official patch has been released.<ref name="cve23-github" />
At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.<ref name="cve23-github" /> No official patch has been released.<ref name="cve23-github" />
Line 54: Line 56:
On 25 February 2025, a researcher by the user name of geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on 16 February and accepted the vulnerabilities on 5 March 2025.<ref name="cve25-github" />
On 25 February 2025, a researcher by the user name of geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on 16 February and accepted the vulnerabilities on 5 March 2025.<ref name="cve25-github" />


* '''CVE-2025-7075''' (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.<ref name="cve-7075">{{Cite web |author= |title=CVE-2025-7075 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |website=National Vulnerability Database |date=5 Jul 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420044040/https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |archive-date=20 Apr 2026}}</ref>
*'''CVE-2025-7075''' (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.<ref name="cve-7075">{{Cite web |author= |title=CVE-2025-7075 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |website=National Vulnerability Database |date=5 Jul 2025 |access-date=19 Apr 2026 |url-status=live |archive-url=https://web.archive.org/web/20260420044040/https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |archive-date=20 Apr 2026}}</ref>
* '''CVE-2025-7076''': The same upload mechanism allows modification of device configurations, including the ability to disable battery protection and drain the vehicle's battery.<ref name="cve25-github" />
*'''CVE-2025-7076''': The same upload mechanism allows modification of device configurations, including the ability to disable battery protection and drain the vehicle's battery.<ref name="cve25-github" />
* '''CVE-2025-2355''': The BlackVue v3.65 Android APK exposes both the BCS_TOKEN and SECRET_KEY in plaintext.<ref name="cve25-github" />
*'''CVE-2025-2355''': The BlackVue v3.65 Android APK exposes both the BCS_TOKEN and SECRET_KEY in plaintext.<ref name="cve25-github" />
* '''CVE-2025-2356''': Sensitive API endpoints transmit authentication tokens via GET parameters, exposing them in browser history, referral URLs, and proxy logs. The endpoints allow unauthorized calls to change device settings, including deleting a device from an account.<ref name="cve25-github" />
*'''CVE-2025-2356''': Sensitive API endpoints transmit authentication tokens via GET parameters, exposing them in browser history, referral URLs, and proxy logs. The endpoints allow unauthorized calls to change device settings, including deleting a device from an account.<ref name="cve25-github" />


===Cloud subscription tier removal (''January 2025'')===
===Cloud subscription tier removal (''January 2025'')===
Line 81: Line 83:
BlackVue's current lineup includes:
BlackVue's current lineup includes:


* '''ELITE Series''' (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording and Sony STARVIS 2 sensors
*'''ELITE Series''' (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording and Sony STARVIS 2 sensors
* '''DR970X Series''': 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE
*'''DR970X Series''': 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE
* '''DR770X Series''': Full HD at 60fps, available in 1-channel, 2-channel, and truck variants
*'''DR770X Series''': Full HD at 60fps, available in 1-channel, 2-channel, and truck variants
* '''DR590X Series''': Entry-level line
*'''DR590X Series''': Entry-level line
* '''BOX Series''': Tamper-proof recording unit separate from camera lenses
*'''BOX Series''': Tamper-proof recording unit separate from camera lenses


==See also==
==See also==

Revision as of 07:58, 30 June 2026


BlackVue
Basic information
Founded 2007
Legal Structure Private
Industry Electronics, Automotive
Also known as Pittasoft, Pittasoft Co. Ltd.
Official website https://blackvue.com/

BlackVue is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.[1] Since 2018, multiple independent security researchers have found that BlackVue's cloud service broadcasts users' real-time GPS locations, live video feeds, and audio to anyone with a free account.[2] Seven CVEs across two product lines remain un-patched or were only acknowledged after public disclosure,[3][4] and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally-connected dashcam without an internet login.[5] In June 2026, Australian outlet Nine News found that BlackVue dashcams used in Australia were still broadcasting users' location, video, and audio by default, which BlackVue's Australian distributor dismissed as "sensationalist and inaccurate."[6] Days later, after the distributor's own privacy-settings blog post was contradicted by further independent testing, it removed the live-broadcast feature from the app entirely.[7][8]

Consumer impact summary

  • User privacy: BlackVue Cloud has broadcast users' GPS coordinates, live video, and audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug"[2] in 2022 and dismissed Australian media reporting on the issue as "sensationalist and inaccurate"[6] in 2026, before its Australian distributor removed the broadcast feature entirely.[8]
  • Device security: Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 and DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.[3][4]
  • User freedom: Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally-connected dashcam. Non-login Wi-Fi Mode was removed.[5]
  • Subscription lock-in: In early 2025, Pittasoft discontinued its "Free Forever" cloud tier and moved all cloud features to paid subscriptions, breaking a promise made to existing customers.[9]

Background

Pittasoft Co. Ltd. was founded on 2 July 2007, in South Korea, by Hyunmin Hur.[1][10] The company initially focused on IP CCTV solutions before pivoting to dashboard cameras. The BlackVue brand launched in 2010 with the DR300, the company's first dashcam.[10] In 2015, Pittasoft introduced BlackVue Over the Cloud, a connected service that allows remote live viewing, GPS tracking, and push notifications through an internet-connected dashcam.[10]

Pittasoft manufactures its dashcams in South Korea.[10] The company is privately held and has not raised institutional funding or executed an IPO.[1]

Incidents

This is a list of all consumer-protection incidents related to this product. Any incidents not mentioned here can be found in the BlackVue category.

GPS location broadcasting (2018—)

Main article: BlackVue GPS location broadcasting

In October 2018, CSO Online reported that BlackVue dashcam owners were unknowingly broadcasting their real-time GPS coordinates, live video, and audio through BlackVue Cloud. The default cloud configuration when enabling the service opted users into public sharing without warning.[11]

Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app and wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.[12] The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, and Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" and claimed the company had updated security measures.[12]

The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app and registering an account (which required no e-mail verification), anyone could view the GPS locations and live-video feeds of connected dashcams.[2] BlackVue responded that sharing is "opt-in only" and claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.[2] BlackVue acknowledged that "some information might be misleading" and said it would change the wording.[2]

Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an e-mail exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, and audio "a case of personal choice" and described it as "a mature [feature], having been available for nearly 5 years."[13]

On 22 June 2026, Nine News Australia reported that an Australian BlackVue customer could view the real-time location, live video, and in-car audio of other BlackVue users worldwide through a map feature in the app, without those users' apparent knowledge. Nine technology commentator Trevor Long called it "one of the biggest privacy or security concerns" he had seen, estimating only "one per cent of people" using the feature realised it was public. BlackVue's Australian distributor told Nine it was compliant with Australia's Cyber Security Act and called the report "sensationalist and inaccurate."[6] The next day, BlackVue Australia published a blog post claiming footage was "private by default, full stop," contradicting both the Nine News demonstration and the company's 2022 and 2024 statements described above.[7] On 26 June 2026, Tech Guide reported it had independently verified the issue in Australia, New Zealand, and the United States; BlackVue then removed Australian cameras from public view and said it was working with "the manufacturer" to eliminate the live-broadcast feature entirely.[8]

Firmware security vulnerabilities

DR750 (CVE-2023-27746, CVE-2023-27747, CVE-2023-27748)

In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.[3] The CVEs were published in the National Vulnerability Database on 13 April 2023:

  • CVE-2023-27748 (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.[14]
  • CVE-2023-27746 (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.[15]
  • CVE-2023-27747 (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, and retrieve device configurations.[16]

At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.[3] No official patch has been released.[3]

DR590X (CVE-2025-7075, CVE-2025-7076, CVE-2025-2355, CVE-2025-2356)

On 25 February 2025, a researcher by the user name of geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on 16 February and accepted the vulnerabilities on 5 March 2025.[4]

  • CVE-2025-7075 (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.[17]
  • CVE-2025-7076: The same upload mechanism allows modification of device configurations, including the ability to disable battery protection and drain the vehicle's battery.[4]
  • CVE-2025-2355: The BlackVue v3.65 Android APK exposes both the BCS_TOKEN and SECRET_KEY in plaintext.[4]
  • CVE-2025-2356: Sensitive API endpoints transmit authentication tokens via GET parameters, exposing them in browser history, referral URLs, and proxy logs. The endpoints allow unauthorized calls to change device settings, including deleting a device from an account.[4]

Cloud subscription tier removal (January 2025)

In January 2025, Pittasoft notified existing BlackVue Cloud users that all cloud services would become subscription-only starting in February 2025, discontinuing a tier the company had previously marketed as "Free Forever."[9] Users reported that BlackVue was still advertising the "Free Forever" plan on its website while sending e-mails notifying customers of the change. One user reported the new subscription cost was $16 per month.[9]

BlackVue Cloud features include remote live view, GPS tracking, two-way voice communication, live event upload, and cloud video backup.[18] The transition to paid-only access means owners of cloud-compatible dashcams who relied on the free tier lost remote access features they had been using since purchasing their hardware.

Mandatory app registration (March 2025)

Main article: BlackVue mandatory app registration

On 13 March 2025, Pittasoft announced that a BlackVue account would be required to use the companion app. The announcement stated that "Non-login Wi-Fi Mode will no longer be available," removing the ability to connect to a locally present dashcam without first creating an account and logging in over the internet.[5]

This was Pittasoft's second attempt to require mandatory registration. In March 2023, an app update required users to log in to access their dashcam. After user complaints on forums and app stores, BlackVue released version 3.42 on 23 March 2023, which added a guest mode for direct Wi-Fi access without login.[19] In 2025, BlackVue removed that guest mode.

Android app version 3.66 (released 1 April 2025) and iOS version 4.0 (released 3 April 2025) implemented the mandatory account requirement.[20] The app's changelog listed "BlackVue account now required" under "Important Changes." An offline mode allows local access after the initial login, but the first login requires an internet connection.[20]

The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.[20] Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, and TikTok conversion tracking for advertising and analytics purposes.[21]

On the Apple App Store, the app holds a 3.8 out of 5 rating from approximately 2,200 ratings.[22]

Products

BlackVue's current lineup includes:

  • ELITE Series (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording and Sony STARVIS 2 sensors
  • DR970X Series: 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE
  • DR770X Series: Full HD at 60fps, available in 1-channel, 2-channel, and truck variants
  • DR590X Series: Entry-level line
  • BOX Series: Tamper-proof recording unit separate from camera lenses

See also

References

  1. 1.0 1.1 1.2 "BlackVue Company Profile". Tracxn. 1 Mar 2026. Archived from the original on 20 Apr 2025. Retrieved 19 Apr 2026.
  2. 2.0 2.1 2.2 2.3 2.4 Lapienytė, Jurgita (12 Jan 2022). "BlackVue dash cameras let you track other users; the company says it's a feature, not a bug". CyberNews. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  3. 3.0 3.1 3.2 3.3 3.4 eyJhb (12 Apr 2023). "BlackVue DR750 CVE". GitHub. Archived from the original on 5 May 2023. Retrieved 19 Apr 2026.
  4. 4.0 4.1 4.2 4.3 4.4 4.5 geo-chen (6 Jul 2025). "BlackVue Security Vulnerabilities". GitHub. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  5. 5.0 5.1 5.2 "Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More". BlackVue. 13 Mar 2025. Archived from the original on 28 Jul 2025. Retrieved 19 Apr 2026.
  6. 6.0 6.1 6.2 Marshall, Sally (22 Jun 2026). "Fears Australian dashcam company could be putting customers' privacy at risk". Nine News Australia. Archived from the original on 30 Jun 2026. Retrieved 30 Jun 2026.
  7. 7.0 7.1 "BlackVue Cloud privacy settings". BlackVue Australia. 23 Jun 2026. Archived from the original on 30 Jun 2026. Retrieved 30 Jun 2026.
  8. 8.0 8.1 8.2 Fenech, Stephen (26 Jun 2026). "BlackVue removes dashcam feature that allowed you to view location and live streams of other users". Tech Guide. Archived from the original on 30 Jun 2026. Retrieved 30 Jun 2026.
  9. 9.0 9.1 9.2 z_Elektrisk_z (4 Jan 2025). "BlackVue Still Advertising Their "Free Forever" Plan After Notifying All Existing Users BlackVue Cloud Services Will be Subscription Only Starting 02/2025". Reddit. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  10. 10.0 10.1 10.2 10.3 "About Us". BlackVue. Archived from the original on 8 Jan 2025. Retrieved 19 Apr 2026.
  11. Ms. Smith (2 Oct 2018). "BlackVue dashcams share cars' mapped GPS locations, stream video feeds and audio". CSO Online. Archived from the original on 4 Oct 2023. Retrieved 19 Apr 2026.
  12. 12.0 12.1 Cox, Joseph (16 Jan 2020). "This App Lets Us See Everywhere People Drive". Vice. Archived from the original on 22 Nov 2024. Retrieved 19 Apr 2026.
  13. Gill, Andy (15 Mar 2024). "BlackVue Dashcams - It's not a bug, it is a feature". ZephrSec. Archived from the original on 6 Apr 2024. Retrieved 19 Apr 2026.
  14. "CVE-2023-27748 Detail". National Vulnerability Database. 13 Apr 2023. Archived from the original on 18 Feb 2025. Retrieved 19 Apr 2026.
  15. "CVE-2023-27746 Detail". National Vulnerability Database. 13 Apr 2023. Archived from the original on 18 Feb 2025. Retrieved 19 Apr 2026.
  16. "CVE-2023-27747 Detail". National Vulnerability Database. 13 Apr 2026. Archived from the original on 18 Feb 2025. Retrieved 19 Apr 2026.
  17. "CVE-2025-7075 Detail". National Vulnerability Database. 5 Jul 2025. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  18. "BlackVue Over the Cloud". The Dashcam Store. Archived from the original on 22 Feb 2026. Retrieved 19 Apr 2026.
  19. Triggerfish (15 Mar 2023). "New Blackvue App 2023: HORRID". DashCamTalk. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  20. 20.0 20.1 20.2 "BlackVue 3.66 APK". APKMirror. 1 Apr 2025. Archived from the original on 9 May 2025. Retrieved 19 Apr 2026.
  21. "BlackVue Privacy Policy". Iubenda. 18 May 2025. Archived from the original on 3 Dec 2025. Retrieved 19 Apr 2026.
  22. "BlackVue on the Apple App Store". Apple. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
Retrieved from "https://consumerrights.wiki/index.php?title=BlackVue&oldid=59378"