Blog post -
Are dash cam users en-route to security risks?
Over the years, the capabilities and features of dash cams have progressed as camera sensors have advanced and wireless capability has become the norm. Most modern dash cams have either Bluetooth and/or Wi-Fi connectivity for a user to pair with their smart device, making it easier than ever to access the captured video streams and SD storage. But can we trust them to keep our data safe and secure?
We worked with UK consumer champion Which? to research the security risks of nine dash cams currently on the market. We found a number of dash cams are vulnerable to the same security risks that we have found repeatedly in other connected devices such as connected toys, cameras, smart plugs, and doorbells.
The risks uncovered
Dash cams record a multitude of sensitive information – where the driver lives, where they work, when they leave the house, and where they go. Through our testing, we found that there are two main issues that are putting users at risk: weak default passwords and weakly encrypted data.
Weak default passwords
Dash cam recordings are typically saved on an SD card, and most have a smartphone app which connects over Wi-Fi to the dash cam to let users watch the footage on their phones. This wireless connection between the smartphone app and dash cam is usually password protected, and the strength of this password is crucial when it comes to security risks. However, we found that seven of the devices tested used weak default passwords, which means that if a hacker can guess or crack the password, they could easily access the dash cam through their smartphone.
Poor data encryption
Encryption allows messages to be scrambled and wrapped in layers of protection to ensure they cannot be read if the message is intercepted between the sender and recipient. It should be used whenever data is stored on a device or transferred and updated regularly as hackers decode older forms of encryption. Our research found that a number of dash cams used older forms of encryption, meaning that hackers can more easily intercept data being transmitted between the camera and the app, which can then be decoded and used.
The biggest issue that was pervasive across all devices in this research was a reliance on the deployment of a dash cam inside a car and it being the responsibility of the customer to “protect” it in this context. There are many individuals and groups that are constantly reverse engineering many types of devices, some for profit and some for research.
While there are emerging standards and legislation around IoT devices and the minimum security requirements they should implement, there doesn’t seem to be the same emphasis on dash cams because they are only Wi-Fi capable devices and not directly connected to the internet.
An interesting debate that surfaced during this research was around whether dash cam and GPS data are personal data. The majority of dash cam manufacturers did not believe this to be the case, with their position being that captured video footage is of public space imagery, and that the manufacturers don’t store or process dash cam or GPS data beyond the physical devices, which remain in control of the users.
However, our privacy experts believe otherwise, particularly since the nature of some footage and GPS data could be used to identify individuals, especially when footage and GPS data correlates to people’s home addresses which can be visible at the start and end of their journeys. The European Data Protection Board are clear on GPS being personal data. As the vendor is determining what data is collected and how it is used, they very much appear to be the data controller. Our recommendation to minimise risk of data exposure through any current or future vulnerabilities in dash cams is that video feeds and GPS data are encrypted at rest.
Educating customers about the secure use and disposal of these types of devices is also important. It would be very easy to forget that there is an SD card in the device when either selling it on or throwing it away and if it was retrieved then a profile of the previous owner could be created, especially if GPS data is also stored alongside video feeds.
Paying the price for security?
While there were no critical vulnerabilities discovered during this research, the issues that were found affected many, if not all devices. The challenge for many of the manufacturers is the focus on developing better software for dash cams, such as image stability and responsiveness so they perform to the optimum levels that their underlying hardware can support.
A shift in focus needs to happen to also include security of the data generated by the dash cams to better protect the users of these devices should a critical and exploitable vulnerability be discovered in the future.
Consumers shouldn’t have to pay the price for security – our data should be protected no matter what device we use, how much we pay and how ‘connected’ it is.
If you'd like more information on this research, you can read the Which? article here.