Internet-enabled dash cams that allow anyone to track your GPS location in real-time

Graham Cluley
Graham Cluley
@[email protected]

Internet-enabled dash cams that allow anyone to track your location in real-time

Joseph Cox at Motherboard reports that car drivers who have installed a BlackVue dash cam into their vehicle can have their real-time GPS location tracked.

The issue was highlighted by infosec professional Lee Heath on Christmas Day, who received a BlackVue dash cam as a gift.

Motherboard explained how it was able to extract location data via the BlackVue iPhone app:

By reverse engineering the iOS version of the BlackVue app, Motherboard was able to write scripts that pull the GPS location of BlackVue users over a week long period and store the coordinates and other information like the user’s unique identifier. One script could collect the location data of every BlackVue user who had mapping enabled on the eastern half of the United States every two minutes. Motherboard collected data on dozens of customers.

With that data, we were able to build a picture of several BlackVue users’ daily routines: one drove around Manhattan during the day, perhaps as a rideshare driver, before then leaving for Queens in the evening. Another BlackVue user regularly drove around Brooklyn, before parking on a specific block in Queens overnight. The user did this for several different nights, suggesting this may be where the owner lives or stores their vehicle. A third showed someone driving a truck all over South Carolina.

A screenshot of the location data of one Blackvue user that Motherboard tracked throughout New York.
An obfuscated screenshot of the location data of one BlackVue user that Motherboard tracked throughout New York. Source: Motherboard.

BlackVue says that it has now updated its security measures.

Concerns about the security and privacy of vehicle dash cams is nothing new.

In September 2018, it was disclosed that one vendor’s dash cams were sharing video footage from vehicles and real-time GPS location details by default – a design decision that was criticised for its “sheer unadulterated incompetence” that resulted in the “massive breach of their customers’ security and trust”

The name of that dashcam manufacturer? BlackVue.

You can hear what he had to say about that in a “Smashing Security” podcast we recorded at the time.

Smashing Security #97: 'Dash cam surveillance, robocall plague, and Zoho woe'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.