BlackVue

• User privacy: BlackVue Cloud has broadcast users' GPS coordinates, live video, & audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug."^[2]
• Device security: Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 & DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, & hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.^[3][4]
• User freedom: Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally connected dashcam. Non-login Wi-Fi Mode was removed.^[5]
• Subscription lock-in: In early 2025, Pittasoft discontinued its "Free Forever" cloud tier & moved all cloud features to paid subscriptions, breaking a promise made to existing customers.^[6]

Pittasoft Co. Ltd. was founded on July 2, 2007, in South Korea, by Hyunmin Hur.^[1][7] The company initially focused on IP CCTV solutions before pivoting to dashboard cameras. The BlackVue brand launched in 2010 with the DR300, the company's first dashcam.^[7] In 2015, Pittasoft introduced BlackVue Over the Cloud, a connected service that allows remote live viewing, GPS tracking, & push notifications through an internet-connected dashcam.^[7]

Pittasoft manufactures its dashcams in South Korea.^[7] The company is privately held & has not raised institutional funding or executed an IPO.^[1]

Main article: BlackVue GPS location broadcasting

In October 2018, CSO Online reported that BlackVue dashcam owners were unknowingly broadcasting their real-time GPS coordinates, live video, & audio through BlackVue Cloud. The default cloud configuration when enabling the service opted users into public sharing without warning.^[8]

Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app & wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.^[9] The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, & Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" & claimed the company had updated security measures.^[9]

The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app & registering an account (which required no email verification), anyone could view the GPS locations & live video feeds of connected dashcams.^[2] BlackVue responded that sharing is "opt-in only" & claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.^[2] BlackVue acknowledged that "some information might be misleading" & said it would change the wording.^[2]

Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an email exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, & audio "a case of personal choice" & described it as "a mature [feature], having been available for nearly 5 years."^[10]

In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.^[3] The CVEs were published in the National Vulnerability Database on April 13, 2023:

• CVE-2023-27748 (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.^[11]
• CVE-2023-27746 (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.^[12]
• CVE-2023-27747 (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, & retrieve device configurations.^[13]

At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.^[3] No official patch has been released.^[3]

On February 25, 2025, researcher geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on February 26 & accepted the vulnerabilities on March 5, 2025.^[4]

• CVE-2025-7075 (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.^[14]
• CVE-2025-7076: The same upload mechanism allows modification of device configurations, including the ability to disable battery protection & drain the vehicle's battery.^[4]
• CVE-2025-2355: The BlackVue v3.65 Android APK exposes both the BCS_TOKEN & SECRET_KEY in plaintext.^[4]
• CVE-2025-2356: Sensitive API endpoints transmit authentication tokens via GET parameters, exposing them in browser history, referral URLs, & proxy logs. The endpoints allow unauthorized calls to change device settings, including deleting a device from an account.^[4]

Main article: BlackVue mandatory app registration

On March 13, 2025, Pittasoft announced that a BlackVue account would be required to use the companion app. The announcement stated that "Non-login Wi-Fi Mode will no longer be available," removing the ability to connect to a locally present dashcam without first creating an account & logging in over the internet.^[5]

This was Pittasoft's second attempt to require mandatory registration. In March 2023, an app update required users to log in to access their dashcam. After user complaints on forums & app stores, BlackVue released version 3.42 on March 23, 2023, which added a Guest mode for direct Wi-Fi access without login.^[15] In 2025, BlackVue removed that Guest mode.

Android app version 3.66 (released April 1, 2025) & iOS version 4.0 (released April 3, 2025) implemented the mandatory account requirement.^[16] The app's changelog listed "BlackVue account now required" under "Important Changes." An offline mode allows local access after the initial login, but the first login requires an internet connection.^[16]

The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.^[16] Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, & TikTok conversion tracking for advertising & analytics purposes.^[17]

On the Apple App Store, the app holds a 3.8 out of 5 rating from approximately 2,200 ratings. Users reported that "App worked just fine for years PRIOR to their requiring you to have an account" & that "NOBODY needs or wants an account" to view local videos on cameras they already own.^[18]

In January 2025, Pittasoft notified existing BlackVue Cloud users that all cloud services would become subscription-only starting in February 2025, discontinuing a tier the company had previously marketed as "Free Forever."^[6] Users reported that BlackVue was still advertising the "Free Forever" plan on its website while sending emails notifying customers of the change. One user reported the new subscription cost was $16 per month.^[6]

BlackVue Cloud features include remote live view, GPS tracking, two-way voice communication, live event upload, & cloud video backup.^[19] The transition to paid-only access means owners of cloud-compatible dashcams who relied on the free tier lost remote access features they had been using since purchasing their hardware.

BlackVue's current lineup includes:

• ELITE Series (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording & Sony STARVIS 2 sensors
• DR970X Series: 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE
• DR770X Series: Full HD at 60fps, available in 1-channel, 2-channel, & truck variants
• DR590X Series: Entry-level line
• BOX Series: Tamper-proof recording unit separate from camera lenses

• Planned obsolescence
• Subscription lock-in