Blog post -

Are dash cam users en-route to security risks?

Over the years, the capabilities and features of dash cams have progressed as camera sensors have advanced and wireless capability has become the norm. Most modern dash cams have either Bluetooth and/or Wi-Fi connectivity for a user to pair with their smart device, making it easier than ever to access the captured video streams and SD storage. But can we trust them to keep our data safe and secure?

We worked with UK consumer champion Which? to research the security risks of nine dash cams currently on the market. We found a number of dash cams are vulnerable to the same security risks that we have found repeatedly in other connected devices such as connected toys, cameras, smart plugs, and doorbells.

The risks uncovered

Dash cams record a multitude of sensitive information – where the driver lives, where they work, when they leave the house, and where they go. Through our testing, we found that there are two main issues that are putting users at risk: weak default passwords and weakly encrypted data.

Weak default passwords

Dash cam recordings are typically saved on an SD card, and most have a smartphone app which connects over Wi-Fi to the dash cam to let users watch the footage on their phones. This wireless connection between the smartphone app and dash cam is usually password protected, and the strength of this password is crucial when it comes to security risks. However, we found that seven of the devices tested used weak default passwords, which means that if a hacker can guess or crack the password, they could easily access the dash cam through their smartphone.

Poor data encryption

Encryption allows messages to be scrambled and wrapped in layers of protection to ensure they cannot be read if the message is intercepted between the sender and recipient. It should be used whenever data is stored on a device or transferred and updated regularly as hackers decode older forms of encryption. Our research found that a number of dash cams used older forms of encryption, meaning that hackers can more easily intercept data being transmitted between the camera and the app, which can then be decoded and used.

What next?

The biggest issue that was pervasive across all devices in this research was a reliance on the deployment of a dash cam inside a car and it being the responsibility of the customer to “protect” it in this context. There are many individuals and groups that are constantly reverse engineering many types of devices, some for profit and some for research.

While there are emerging standards and legislation around IoT devices and the minimum security requirements they should implement, there doesn’t seem to be the same emphasis on dash cams because they are only Wi-Fi capable devices and not directly connected to the internet.

An interesting debate that surfaced during this research was around whether dash cam and GPS data are personal data. The majority of dash cam manufacturers did not believe this to be the case, with their position being that captured video footage is of public space imagery, and that the manufacturers don’t store or process dash cam or GPS data beyond the physical devices, which remain in control of the users.

However, our privacy experts believe otherwise, particularly since the nature of some footage and GPS data could be used to identify individuals, especially when footage and GPS data correlates to people’s home addresses which can be visible at the start and end of their journeys. The European Data Protection Board are clear on GPS being personal data. As the vendor is determining what data is collected and how it is used, they very much appear to be the data controller. Our recommendation to minimise risk of data exposure through any current or future vulnerabilities in dash cams is that video feeds and GPS data are encrypted at rest.

Educating customers about the secure use and disposal of these types of devices is also important. It would be very easy to forget that there is an SD card in the device when either selling it on or throwing it away and if it was retrieved then a profile of the previous owner could be created, especially if GPS data is also stored alongside video feeds.

Paying the price for security?

While there were no critical vulnerabilities discovered during this research, the issues that were found affected many, if not all devices. The challenge for many of the manufacturers is the focus on developing better software for dash cams, such as image stability and responsiveness so they perform to the optimum levels that their underlying hardware can support.

A shift in focus needs to happen to also include security of the data generated by the dash cams to better protect the users of these devices should a critical and exploitable vulnerability be discovered in the future.

Consumers shouldn’t have to pay the price for security – our data should be protected no matter what device we use, how much we pay and how ‘connected’ it is.

If you'd like more information on this research, you can read the Which? article here.

Related links

Topics

  • Computer security

Categories

  • research
  • iot
  • securing our connected future
  • cyber security

Contacts

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7721577574

Related content

Honeypot research reveals the connected life might not be so sweet

Smart TVs, fridges, toothbrushes, heating, plugs, cameras, kettles – these are just a few of the connected devices that have made their way into our homes. But what are the security implications of introducing more of these smart devices into our homes? Our latest research with Which? and the Global Cyber Alliance delves into this.

Smart doorbells – delivering the security you expect?

Smart doorbells are designed to make our lives easier and give us peace of mind about who may be approaching our homes – even when we’re out – but how secure are they?

UK government announces plans for new IoT security law

Today, the UK government's Department for Digital, Culture, Media and Sport (DCMS) has published its response to its call for evidence seeking feedback on proposals to regulate the cyber security of consumer smart products. Our global CTO, Ollie Whitehouse, responds to this announcement in this post.

Putting the brakes on e-scooter security flaws with Which?

In a recent research project on e-scooters with independent consumer body Which? we found multiple security flaws that could enable hackers to access users’ data, increase e-scooters’ speed and activate their brakes remotely.

NCC Conversations: How can we reduce bias in artificial intelligence?

As part of our NCC Conversations series, we’ve been exploring the issue of systemic racism and how it impacts our industry, wider society, and the artificial intelligence technology that we use every day.

GPS S.O.S: Making GPS technology safer

GPS tracking is now a part of our daily life - in our smartwatches, smartphones, pet trackers, vehicles satellite navigation and more. But what are the risks? Anna Reedman, security consultant, explores this.

Home is where the hack is?

Smart products, such as doorbells, wireless cameras and alarms, have been increasingly popular purchases for consumers in recent years. The products can bring a range of efficiencies into the home, but a recent investigation from independent UK consumer body, Which?, shows that they could also present security and privacy risks.