Cybersecurity researcher Andy Gill has discovered that BlackVue dashboard cameras publicly broadcast your exact GPS location from inside your car. The company claims that this is not a vulnerability but a feature, and people share their private information by choice.
BlackVue is a well-known maker of dashboard cameras (dashcams), used to record the view through the car's front windscreen continuously.
Andy Gill tested the BlackVue app on both the iOS and Android systems and came across some unpleasant discoveries.
"Cloud-ready @BlackVue #dashcams broadcast your EXACT GPS location by default it seems from inside your car, without permission, PUBLICLY on the internet! Here's a quick video from the mobile app. From reading, this is a feature, not a bug, and it appears it's been reported before," he tweeted.
In this video from the mobile app, you can see the owners of dashcams scattered all over the map (the US and Europe in particular), meaning they were broadcasting their GPS location publicly. The number of users on the map was relatively small. For example, in France, only 25 users were broadcasting their location. From the map, you can assume that it doesn't publicly show all of the BlackVue users' locations.
However, the map made Gill wonder whether these users broadcast their location on purpose or were unaware of the feature.
Gill took his findings to Twitter to discuss. From his tweets, it appears that by downloading the app and registering a free account, which requires no email verification, you can tap into random dashcams and follow cars' speed and location.
"To make matters worse, most cars I've found so far either have the reg plate in the camera feed or the model of car which makes for an easy shopping list of cars to steal," Gill pointed out that the app allows audio on some of the cameras if there's a microphone.
BlackVue doesn't consider this a bug but rather a feature that you can easily disable. The company addressed Gill's concerns with a 15-comment thread on Twitter.
"We would like to clarify that the sharing of GPS, video, or audio data or dashcam name on the public World Map is opt-in only. This means you can assume any camera you might see on the World Map was shared on purpose by their user. Note that the cameras you can see on the map represent a small fraction of the total BlackVue Cloud active users," BlackVue said.
The company admitted it has a World Map feature accessible to anyone, stressing that users who can be tracked using the World Map must have chosen to be visible themselves.
"However, we would like to make it clear that it is extremely unlikely that a user would share their camera's location, name and video accidentally. Users need to sign up and create an account with us to register a camera," the company said.
Upon registering a camera to one's account, the BlackVue app will ask the user whether to allow GPS access or not. The purpose of this is for the user to see the speed and location of their camera when they access it over the cloud.
"In the app's Privacy Settings menu, this setting is marked as "Private" because it does not make the camera's location or videos available on the World Map. Users can optionally share the following data "Publicly" to appear on the World Map: location, live video, live audio, and dashcam name. Disabling Share Location means your camera will not appear on the World Map inside the BlackVue App."
BlackVue claims that all of these features are disabled by default.
However, from Gill's testing results, it appears that GPS access is enabled by default.
"You can, however, disable LTE altogether, which is good, and you can opt-out of this 'feature,' but it's silly," Gill wrote.
CyberNews reached out to BlackVue on Monday. BlackVue stressed that by default, all cameras are set to private.
"The Private setting "Allow GPS access" is designed to control whether the dashcam's owner will be able to see their own dashcam's location in the app. Having that setting on does not make the camera's location visible on the World Map," the company told CyberNews.
However, BlackVue acknowledged that some information might be misleading and said it would change the wording.
More from CyberNews:
Hackers steal $18.7 million from Animoca Brands' sports NFT platform
KCodes NetUSB vulnerability: millions of routers exposed to RCE attacks
Privacy in the metaverse: dead on arrival?
Nervos integrates with Pastel Network to protect from NFT scams and hacks
Novel scam employs QR codes and crypto ATMs
Subscribe to our newsletter
Your email address will not be published. Required fields are markedmarked