BlackVue dashcams share cars’ mapped GPS locations, stream video feeds and audio

Just as some people are unknowingly streaming live video from security cams in their homes, some are also unknowingly live-streaming video from their cars. They have made the video feed from their front and rear dashcams, as well as the mapped GPS location of the vehicle – the speed it is going or if it is parked – and even audio from inside the vehicle, available to the public.

Let’s assume you dropped around $400 or so for a BlackVue dashcam, which includes “Over the Cloud” capabilities. That’s what IT pro Tim Woodruff – who is a software architect and developer for IT service management software, a former pen tester, and author – did after a semi hit his new Tesla Model X and insurance refused to pay even though the driver admitted to not seeing the Tesla. Installation and all cost him a whopping $1,200.

BlackVue comes with a Cloud Viewer which allows owners to see a live view of their car. However, Woodruff warned that thanks to a sketchy registration process, that live view is available to the public. Users are opted-in by default to share the precise GPS location of their vehicles on a map, as well as a stream live video feeds of the front and rear cameras.

Do you really want to broadcast a live feed of where you go, of the inside your garage, or where you drop your kids off at school? Do you ever do anything you might not want the world to know, such as visit a head shop, an erotica store, seek treatment at a medical center, or even visit the person with whom you might be having an affair?

Woodruff is convinced that most folks don’t know about the automatic opt-in and the default settings, which “are all but hidden in a secondary settings menu – and that is terrifying.”

As a software developer, he decided “the BlackVue software configuration process and user experience is probably the worst and most poorly designed” that he has ever seen. Furthermore, he believes it was “sheer unadulterated incompetence that lead to this massive breach of their customers’ security and trust” as opposed to purposeful maliciousness.

BlackVue’s response

Woodruff contacted BlackVue in September and gave the company a week to respond. After there was no response, Woodruff went public:

Cloud-ready @BlackVue #dashcams illegally broadcast your EXACT GPS location, AND LIVE VIDEO from inside your car, without permission, PUBLICLY on the internet! https://t.co/tjeEl5FNDb Registration process: https://t.co/SsMnHecrFa @kairyssdal @SmashinSecurity @GOGPodcast #infosec

— Tim Woodruff (@TheTimWoodruff) September 18, 2018

At that point, BlackVue replied to the tweet, saying it was reported internally: “Our developers are working on a fix to clarify the dashcam registration process and default privacy settings.”

To that, Woodruff pointed out:

@BlackVue They should not *BE* the default privacy settings. Are you new to the internet or something? It’s bad enough when the default is “share all my information with [company]”, but if it’s your live GPS and camera view from inside your car, PUBLIC SHOULD NOT BE THE DEFAULT.

— Tim Woodruff (@TheTimWoodruff) September 20, 2018

Woodruff explains the problem and even includes live dashcam video feeds from other people’s vehicles in the video below.

A post on Reddit goes so far as to state: “You can browse BlackVue users worldwide and watch/hear their cars using their software as well as to know their exact GPS location. It’s safe to assume almost all of these people don’t know they are broadcasting everything live.”

Audio, too? It is an option in the camera’s privacy settings, as is publicly sharing location, video, and camera name. I suppose if you needed proof, enabled audio along with the camera is one way to go – as seen by a Tesla Model 3 owner who got pulled over because the cop said he couldn’t have the computer mounted – not realizing the center console is standard in a Tesla.

‘Deceptive’ BlackVue registration process

In the below video, Woodruff shows the “deceptive” registration process.

Follow-up with a more clear video of the registration process (as of 1 hour ago today): https://t.co/yU8CXHpDOn APPARENTLY even if you OPT OUT of these settings, if you re-register your camera later, YOU’RE OPTED BACK IN – again, without your knowledge or consent. @BlackVue

— Tim Woodruff (@TheTimWoodruff) October 2, 2018

The options to publicly share location, video, audio and camera name are listed under the camera’s privacy settings where it also notes:

By sharing your Live View you can let other users vicariously experience the excitement and pleasure of driving all over the world. However, as personal video may be transmitted you should take special care in deciding what information you share.

Woodruff says your “public location and live video are enabled by default!” When you first register a new camera, there is a checkbox to “Allow BlackVue Cloud Viewer to access your dashcam’s GPS data.” That is followed by this notification: “We use this to let you track your car’s location and speed, and share traffic information with other BlackVue users. If you don’t allow access we cannot show your car’s location and speed.”

Woodruff pointed out that there’s nothing mentioned about “broadcasting live video from inside your car and making this information public.”

He goes on to show that if you were to register your BlackVue dashcam and then disable the cloud settings that made your dashcam video feed public, then unregister the cam, and then re-register it again, you are automatically opted back into the public settings.

Does this violate GDPR or other privacy laws? If you got a BlackVue for security, surely you can see that the public sharing of your information can also make you less secure.

After downloading the BlackVue Windows Viewer software (last updated today Oct. 2), I could indeed see the location of many vehicles with BlackVue dashcams on a map.

Ms. Smith

As for the icons, Woodruff explained to me that the orange vehicles are live-broadcasting their GPS location on a map, while the green vehicles “show a live video feed from inside the car. Broadcasting live video and GPS is the default configuration when you enable the cloud features, which does not notify or warn you in any way that your information will be public.”

Scroll in tighter and it shows things like how fast the vehicle in going or if it is parked. For the green ones, I could see the name of the camera or the specific names assigned by owners such as Tesla S or Honda with even more identifying information than I was willing to screenshot and share.

Ms. Smith

I could not, however, see the live video feed without logging into my account or registering my BlackVue. To be clear, what I could see was available to anyone who downloads the software, as I don’t have a BlackVue or any other type of dashcam.

At the time of publication, BlackVue had not responded to my request for comment.

You can find more information about how to change, hopefully to disable, the BlackVue GPS location sharing via the cloud on BlackVue’s Help Center page.