BlackVue: Difference between revisions
rewrote from stub. added gps tracking incident (2018-2024, vice/cybernews), firmware cves (dr750 & dr590x), mandatory registration history, cloud tier removal. fixed company type to private, sourced everything. |
fixed cve-2355/2356 conflation, 2.2k ratings not 2197, removed unsourced seoul, trimmed unsourced inference |
||
| Line 23: | Line 23: | ||
== Background == | == Background == | ||
Pittasoft Co. Ltd. was founded on July 2, 2007, in | Pittasoft Co. Ltd. was founded on July 2, 2007, in South Korea, by Hyunmin Hur.<ref name="tracxn" /><ref name="bv-sg">{{Cite web |title=About Us |url=https://www.blackvue.com.sg/about-us.html |website=BlackVue Singapore |access-date=2026-03-28}}</ref> The company initially focused on IP CCTV solutions before pivoting to dashboard cameras. The BlackVue brand launched in 2010 with the DR300, the company's first dashcam.<ref name="bv-sg" /> In 2015, Pittasoft introduced BlackVue Over the Cloud, a connected service that allows remote live viewing, GPS tracking, & push notifications through an internet-connected dashcam.<ref name="bv-sg" /> | ||
Pittasoft manufactures its dashcams in South Korea.<ref name="bv-sg" /> The company is privately held & has not raised institutional funding or executed an IPO.<ref name="tracxn" /> | Pittasoft manufactures its dashcams in South Korea.<ref name="bv-sg" /> The company is privately held & has not raised institutional funding or executed an IPO.<ref name="tracxn" /> | ||
| Line 36: | Line 36: | ||
Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app & wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.<ref name="vice">{{Cite web |title=This App Lets Us See Everywhere People Drive |url=https://www.vice.com/en/article/blackvue-dashcams-users-location-tracked/ |website=Vice/Motherboard |first=Joseph |last=Cox |date=2020-01-16 |access-date=2026-03-28}}</ref> The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, & Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" & claimed the company had updated security measures.<ref name="vice" /> | Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app & wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.<ref name="vice">{{Cite web |title=This App Lets Us See Everywhere People Drive |url=https://www.vice.com/en/article/blackvue-dashcams-users-location-tracked/ |website=Vice/Motherboard |first=Joseph |last=Cox |date=2020-01-16 |access-date=2026-03-28}}</ref> The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, & Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" & claimed the company had updated security measures.<ref name="vice" /> | ||
The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app & registering an account (which required no email verification), anyone could view the GPS locations & live video feeds of connected dashcams.<ref name="cybernews" /> BlackVue responded that sharing is "opt-in only" & claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.<ref name="cybernews" /> BlackVue acknowledged that "some information might be misleading" & said it would change the wording | The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app & registering an account (which required no email verification), anyone could view the GPS locations & live video feeds of connected dashcams.<ref name="cybernews" /> BlackVue responded that sharing is "opt-in only" & claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.<ref name="cybernews" /> BlackVue acknowledged that "some information might be misleading" & said it would change the wording.<ref name="cybernews" /> | ||
Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an email exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, & audio "a case of personal choice" & described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |first=Andy |last=Gill |date=2024-03-15 |access-date=2026-03-28}}</ref> | Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an email exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, & audio "a case of personal choice" & described it as "a mature [feature], having been available for nearly 5 years."<ref name="zsec">{{Cite web |title=BlackVue Dashcams - It's not a bug, it is a feature |url=https://blog.zsec.uk/blackvue-privacy/ |website=ZephrSec |first=Andy |last=Gill |date=2024-03-15 |access-date=2026-03-28}}</ref> | ||
| Line 58: | Line 58: | ||
* '''CVE-2025-7075''' (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.<ref name="cve-7075">{{Cite web |title=CVE-2025-7075 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |website=National Vulnerability Database |date=2025-07-05 |access-date=2026-03-28}}</ref> | * '''CVE-2025-7075''' (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.<ref name="cve-7075">{{Cite web |title=CVE-2025-7075 Detail |url=https://nvd.nist.gov/vuln/detail/CVE-2025-7075 |website=National Vulnerability Database |date=2025-07-05 |access-date=2026-03-28}}</ref> | ||
* '''CVE-2025-7076''': The same upload mechanism allows modification of device configurations, including the ability to disable battery protection & drain the vehicle's battery.<ref name="cve25-github" /> | * '''CVE-2025-7076''': The same upload mechanism allows modification of device configurations, including the ability to disable battery protection & drain the vehicle's battery.<ref name="cve25-github" /> | ||
* '''CVE-2025-2355''': The BlackVue v3.65 Android APK exposes both the BCS_TOKEN & SECRET_KEY in plaintext | * '''CVE-2025-2355''': The BlackVue v3.65 Android APK exposes both the BCS_TOKEN & SECRET_KEY in plaintext.<ref name="cve25-github" /> | ||
* '''CVE-2025-2356''': Sensitive API endpoints allow unauthorized calls to change device settings, including deleting a device from an account.<ref name="cve25-github" /> | * '''CVE-2025-2356''': Sensitive API endpoints transmit authentication tokens via GET parameters, exposing them in browser history, referral URLs, & proxy logs. The endpoints allow unauthorized calls to change device settings, including deleting a device from an account.<ref name="cve25-github" /> | ||
=== Mandatory app registration === | === Mandatory app registration === | ||
| Line 72: | Line 72: | ||
The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.<ref name="apk-366" /> Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, & TikTok conversion tracking for advertising & analytics purposes.<ref name="privacy-policy">{{Cite web |title=BlackVue Privacy Policy |url=https://www.iubenda.com/privacy-policy/58407536/full-legal |website=Iubenda |date=2025-05-18 |access-date=2026-03-28}}</ref> | The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.<ref name="apk-366" /> Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, & TikTok conversion tracking for advertising & analytics purposes.<ref name="privacy-policy">{{Cite web |title=BlackVue Privacy Policy |url=https://www.iubenda.com/privacy-policy/58407536/full-legal |website=Iubenda |date=2025-05-18 |access-date=2026-03-28}}</ref> | ||
On the Apple App Store, the app holds a 3.8 out of 5 rating from 2, | On the Apple App Store, the app holds a 3.8 out of 5 rating from approximately 2,200 ratings. Users reported that "App worked just fine for years PRIOR to their requiring you to have an account" & that "NOBODY needs or wants an account" to view local videos on cameras they already own.<ref name="appstore">{{Cite web |title=BlackVue on the App Store |url=https://apps.apple.com/us/app/blackvue/id1049209637 |website=Apple App Store |access-date=2026-03-28}}</ref> | ||
=== Cloud subscription tier removal === | === Cloud subscription tier removal === | ||