Blackvue cloud connected dashcams leak your location and allow anyone to view your video feed with a free account. Sort it out folks!
Update: I decided that after two years and unfortunately no positive results from BlackVue publishing this post was in the public interest, so, especially with the rise in car crime, while not directly related to BlackVue, I figured it best be brought to peoples' attention.
So, I said at the start of 2022, when I originally wrote this blog post, that I was done with blog posts until I published LTR102. However, one weekend in 2022, I bought a new dashcam, and while reading through the functionality, I came across the 'connect to the cloud' option from within the mobile application.
How it Started
Now, my dashcam came with an LTE module to enable 'cloud connectivity'; my initial understanding was that this feature enabled push notifications to my phone if the camera detected motion or a bump to the car, which is perfectly reasonable. One would assume that this information would only be accessible to the user who has the camera, surely?
Well, you would be wrong because, simply put, anyone with access to a mobile device(and it works in the browser, too) can download the Blackvue mobile application, open it up and select 'connect to the cloud'; no need for having a camera prior or anything like that. Once clicked the map view opens:
Do you see all of those numbers? They are cloud-connected dashcams, open to anyone to zoom in and see their geographic location. So, for starters, this is pretty bad, but as these things go, it gets worse.
https://twitter.com/ZephrFish/status/1480155179144130561?s=20
I thought I'd sign up for an account to see what it granted me. Signing up was as easy as dropping an email in(in this case, Gmail/Apple Private Relay), and it auto-signed me in via Gmail/Apple Private Relay depending on what OS app was chosen. From here, I was able to view not only the geographic location of dashcams but also live feeds of what was going on.
Historically, Others Have Raised it
November 2021
Antisocial Engineer also informed BlackVue in November of 2020 about this but it appeared they did not want to resolve it and chalked it up to a feature.
October 2021
I am not the first person to find or even report this to Blackvue. One of my friends Colin emailed a UK entity of BlackVue to report similar bugs back in October 2021 and was instructed that this was indeed a feature rather than a security or privacy issue:
Colin's initial email to BlackVue:
Hi,
I would like to raise a potential security issue, while digging around that I found that it’s possible to views ANYONE’S dashcam who has a Blackvue Cloud account and who has not changed their default configuration.
Steps to re-produce.
Access the APP > connect to cloud > select a camera
So have I’ve listened to conversions is in the car, viewed questionable driving and gained address and security information by watching cars access properties/garages.
I would be interested in your response.
Response:
Thanks for getting in touch.
The experience you have reported is a feature of BlackVue Cloud, and only users who have opted-in by selecting “Share Location” in the privacy settings will appear on the map.
The default setting is off.
Followup from Colin:
I appreciate the (fast) response!
Hopefully this does not come across as argumentative, however I would question whether I should be able to view and listen to conversations for other users and basically watch them from location A to their home location?
I understand sharing location but anything over that raises privacy issues.
Final verdict from BV:
It’s a case of personal choice, personally it’s not for me - viewing other people or being viewed by other people - but it’s a feature that’s available for those that want it.
The feature is a mature one, having been available for nearly 5 years.
January 2020
Vice wrote about this same issue in Jan 2020 but it appears Blackvue changed some settings but refused to take responsibility for the privacy impacts of their application and the 'features'.
How to Protect Yourself?
The easiest solution is not having a cloud-connected BlackVue at all, but if you do have one, turn off the GPS option within settings to prevent access.
Ultimately, this was reported two years ago at this point, and BlackVue still refuses to fix it, hence this blog post!