BlackVue firmware security vulnerabilities

BlackVue manufactures cloud-connected dashcams that provide remote access to live feeds, GPS tracking, & stored recordings through WiFi & cellular (LTE) connections. The DR750-2CH LTE model connects directly to the internet via its built-in LTE modem, making its services reachable without requiring proximity to the vehicle's WiFi network.^[1]

Two independent security researchers audited BlackVue dashcams roughly 2.5 years apart. The first researcher (eyJhb) reported 3 vulnerabilities in the DR750 in July 2022. The second researcher (Geo Chen) disclosed 4 vulnerabilities in the DR590X in February 2025.^[1][2]

The DR750-2CH LTE running firmware v1.012-eng contained 3 critical-to-high severity vulnerabilities that, chained together, allow full remote compromise of the device.^[1]

The DR750's default WiFi password uses only lowercase alphanumeric characters with a length of 8.^[1] This character set produces a keyspace small enough to brute-force from a captured WiFi handshake. The researcher estimated the password could be cracked in roughly 4 days using rented cloud hardware costing approximately 40 EUR.^[1] The NVD assigned this vulnerability a CVSS score of 9.8 (Critical).^[3]

A built-in web server on the DR750 exposes live video feeds, position & speed telemetry, stored recordings, & device configuration downloads without any authentication.^[1] Anyone on the same network (or anyone on the internet for LTE-connected models) can access these endpoints.^[1] The configuration download includes encrypted WiFi credentials.^[1] The NVD assigned a CVSS score of 7.5 (High).^[4]

Port 9771/TCP on the DR750 hosts a FOTA (firmware over-the-air) service with no authentication & no firmware authenticity check.^[1] An attacker can upload custom firmware containing a backdoor.^[1] The dashcam has no firewall, so on LTE models this port is reachable from the public internet.^[1] Custom firmware persists even after a user reinstalls the official firmware, giving the attacker persistent root access to the device.^[1] The NVD assigned a CVSS score of 9.8 (Critical).^[5]

BlackVue acknowledged it would investigate but has not released a patch.^[1] At the time of disclosure, approximately 300 vulnerable DR750 devices were identified as publicly accessible on the internet.^[1]

Security researcher Geo Chen disclosed 4 vulnerabilities in the BlackVue DR590X dashcam & its companion mobile app on February 25, 2025.^[2]

The DR590X exposes an /upload.cgi endpoint at http://10.99.77.1/upload.cgi with no authentication. Any device on the dashcam's WiFi network can upload arbitrary files, including malware, to the dashcam.^[2] The NVD assigned a CVSS score of 8.8 (High).^[6]

Through the same upload mechanism, an attacker can modify the dashcam's configuration file without authentication. This allows disabling battery protection on the dashcam, which can drain the vehicle's battery.^[2] The NVD assigned a CVSS score of 8.8 (High).^[7]

The BlackVue v3.65 APK contains hardcoded BCS_TOKEN & SECRET_KEY values in plaintext.^[8] These client secrets are transmitted via GET parameters, which means they appear in browser history, referral URLs, & proxy logs.^[2]

Using tokens extracted from the APK or intercepted from GET parameters, an attacker can make API calls to delete devices from a user's account & modify device settings without authorization.^[2] The userToken is transmitted via GET parameters rather than POST request bodies or authorization headers, exposing it to the same logging & interception risks as the hardcoded secrets.^[2][9]

Geo Chen reported the DR590X vulnerabilities to BlackVue on February 25, 2025. BlackVue acknowledged the report on February 26, 2025, & accepted the findings on March 5, 2025. CVEs were published on March 16, 2025.^[2]

Both sets of vulnerabilities expose dashcam owners to surveillance & vehicle tampering risks that cannot be mitigated through software settings.^[1][2] The DR750's LTE connectivity means the firmware upload vulnerability (CVE-2023-27748) is exploitable remotely without physical proximity to the vehicle.^[1] A compromised dashcam can serve as a persistent surveillance device, streaming live video, audio, & GPS location data to an attacker.^[1]

The DR590X's battery protection bypass (CVE-2025-7076) introduces a physical consequence: an attacker within WiFi range can disable the dashcam's voltage cutoff, causing it to drain the vehicle's 12V battery.^[2] The hardcoded API secrets (CVE-2025-2355) & unauthorized API access (CVE-2025-2356) extend the attack surface beyond the local network to BlackVue's cloud infrastructure, allowing remote account & device manipulation.^[2]

The DR750 vulnerabilities remain unpatched more than 3 years after the initial report to the vendor.^[1] BlackVue accepted the DR590X findings on March 5, 2025, but as of the CVE publication date had not announced fixes for those vulnerabilities either.^[2]

• BlackVue
• IoT device security
• Right to Repair