{"id":29771,"date":"2025-11-27T16:41:09","date_gmt":"2025-11-27T16:41:09","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/?p=29771"},"modified":"2025-11-27T16:41:09","modified_gmt":"2025-11-27T16:41:09","slug":"dashcam-hack-botnet-on-the-wheels","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/dashcam-hack-botnet-on-the-wheels\/29771\/","title":{"rendered":"Botnets on wheels: the mass hacking of dashcams"},"content":{"rendered":"<p>Dashcams, popular in some countries and while illegal in others, are typically seen as insurance in case of an accident or roadside dispute. But a team of Singaporean cybersecurity researchers have a different take. They see offline (!) dashcams as a suitable foundation for\u2026 a mass surveillance system \u2014 moreover, one that can broaden automatically. They presented the details of their research at the <a href=\"https:\/\/thesascon.com\" target=\"_blank\" rel=\"noopener nofollow\">Security Analyst Summit 2025<\/a>.<\/p>\n<h2>The espionage potential of a dashcam<\/h2>\n<p>So, how can offline device be used for surveillance? Well, though it\u2019s true that most dashcams aren\u2019t equipped with a SIM card or 4G\/5G connectivity \u2014 even inexpensive models have Wi-Fi. This allows the driver\u2019s phone to connect to the device through a mobile app to adjust settings, download videos, and for other purposes. And as it turns out, many dashcams allow authentication to be bypassed, meaning a malicious actor can connect to them from their own device and then download the stored data.<\/p>\n<p>An attacker has a lot to gain from this. First, there\u2019s the high-resolution video, which clearly shows license plates and road signs. Some dashcam models also record the car\u2019s interior, and others feature wide-angle lenses and\/or rear-facing cameras. Second, dashcams can record audio \u2014 primarily conversations \u2014 inside the vehicle. Third, these video and audio recordings are tagged with precise timestamps and GPS tags.<\/p>\n<p>Therefore, by downloading data from a dashcam, someone could track the owner\u2019s movements, obtain images of the locations where they drive and park, find out what they talk about in the car, and often get photos and videos of the vehicle\u2019s passengers or people near the car. Naturally, for targeted surveillance, a hacker would need to compromise a specific dashcam, while for mass surveillance, they\u2019d need to compromise a large number of devices.<\/p>\n<h2>Attack vectors for dashcams<\/h2>\n<p>The researchers began their experiments with a popular Thinkware dashcam, but quickly widenend the scope of the study to include two dozen models from 15 or so different brands.<\/p>\n<p>They discovered many similarities in how the different devices operate. The initial connection is typically made to a Wi-Fi access point created by the dashcam itself, using the default SSID and password from the manual.<\/p>\n<p>Most of the models tested by the researchers had a hardcoded password, allowing an attacker to establish a connection with them. Once connected, a hacker gains access to a familiar setup found in other IoT gadgets: an ARM processor and a lightweight Linux build. The attacker then has a whole arsenal of proven tricks to choose from to bypass the manufacturer\u2019s authentication \u2014 designed to distinguish the owner from an unauthorized user. At least one of these methods typically works:<\/p>\n<ul>\n<li>Direct file access. While the minuscule web server in the dashcam waits for a client to send a password at the official entry point, malicious requests for direct video downloads often go through without a password check<\/li>\n<li>MAC address spoofing. Many dashcams verify the owner\u2019s identity by checking the unique MAC address of their smartphone\u2019s Wi-Fi adapter. The attacker can first intercept this address over the airwaves, and then spoof it in their own requests, which is often enough to establish a connection<\/li>\n<li>Replay attack. By simply recording the entire Wi-Fi data exchange between the dashcam and the owner\u2019s smartphone during a legitimate connection, an attacker can later replay this recording to gain the needed permissions<\/li>\n<\/ul>\n<p>Most online services have been protected against these types of attacks for years if not decades. However, these classic vulnerabilities from the past are still frequently discovered in embedded devices.<\/p>\n<p>To allow users to quickly review recorded files on their phone screen, or even watch a live feed from the camera, dashcams typically run several servers similar to those used on the internet. An FTP server enables quick file downloads, while an RTSP server streams live video, and so on. In theory, these servers have their own password-based security to protect them from unauthorized access. In practice, they often use a default, hardcoded password that\u2019s identical for every unit of that model \u2014 a password that can be easily extracted from the manufacturer\u2019s mobile app.<\/p>\n<h2>The one-hack-fits-all situation<\/h2>\n<p>Why are researchers convinced that these devices can be hacked on a massive scale? Due to two key factors:<\/p>\n<ul>\n<li>Just a few popular dashcam models account for the lion\u2019s share of the market. For instance, in Singapore, nearly half of all dashcams sold are from the brand IMAKE<\/li>\n<li>Different models, sometimes from different brands, have very similar hardware and software architecture. This is because these dashcam manufacturers source their components and firmware from the same developer<\/li>\n<\/ul>\n<p>As a result, a single piece of malicious code designed to try a few dozen passwords and three or four different attack methods could successfully compromise roughly a quarter of all dashcams in a real-world urban environment.<\/p>\n<p>In the initial version of the attack, the researchers modeled a semi-stationary scenario. In this setup, an attacker with a laptop would be located at a place where cars stop for a few minutes, such as a gas station or a drive-through. However, further research led them to a more alarming conclusion: everything needed for the attack could be run directly on the dashcam itself! They managed to write code that operates like a computer worm: an infected dashcam attempts to connect to and compromise the dashcams in nearby cars while on the move. This is feasible when vehicles travel at similar speeds, for instance in heavy traffic.<\/p>\n<h2>From mass compromise to mass surveillance<\/h2>\n<p>The authors of the study didn\u2019t stop at just proving that the hack was possible; they developed a complete system for harvesting and analyzing data. The data from compromised dashcams can be harvested to one central location in two ways: by sending the data directly to the attackers\u2019 computer located at, say, a gas station, or by exploiting the built-in cloud-enabled features of some dashcams.<\/p>\n<p>Some dashcam models are equipped with an LTE module, allowing the malicious code to send data directly to the botnet owner. But there\u2019s also an option for simpler models. For example, a dashcam can have functionality to upload data to a smartphone for syncing it to the vendor cloud, or the compromised device can forward the data to other dashcams, which then relay it to the attacker.<\/p>\n<p>Sometimes, inadequate cloud storage security allows data to be extracted directly \u2014 especially if the attacker knows the user identifiers stored within the camera.<\/p>\n<p>The attacker can combine several methods to analyze the harvested data:<\/p>\n<ul>\n<li>Extracting GPS metadata from photos and videos<\/li>\n<li>Analyzing video footage to detect road signs and recognize text \u2014 identifying specific streets and landmarks<\/li>\n<li>Using a Shazam-like service to identify music playing in the car<\/li>\n<li>Leveraging OpenAI models to transcribe audio and generate a concise summary of all conversations inside the vehicle<\/li>\n<\/ul>\n<p>The result is a brief, informative summary of every trip: the route, travel time, and topics that were discussed. At first glance, the value of this data seems limited because it\u2019s anonymous. In reality, de-anonymization isn\u2019t a problem. Sometimes the owner\u2019s name or license plate number is explicitly listed in the camera\u2019s settings. Furthermore, by analyzing the combination of frequently visited locations (like home and work), it\u2019s relatively straightforward to identify the dashcam owner.<\/p>\n<h2>Conclusions and defense strategies<\/h2>\n<p>The recent revelations about the <a href=\"https:\/\/www.404media.co\/flock-wants-to-partner-with-consumer-dashcam-company-that-takes-trillions-of-images-a-month\/\" target=\"_blank\" rel=\"noopener nofollow\">partnership between Flock and Nexar<\/a> underscore how dashcams could indeed become a valuable link in a global surveillance and video monitoring system. Flock operates the largest network of automated license plate reader cameras for police in the United States, while Nexar runs a popular network of cloud-connected dashcams designed to create a \u201ccrowdsourced vision\u201d of the roads.<\/p>\n<p>However, the mass hacking of dashcams could lead to a much more aggressive and malicious data-harvesting effort, with information being abused for criminal and fraudulent schemes. Countering this threat is primarily the responsibility of vendors, which need to adopt secure development practices (<a href=\"https:\/\/os.kaspersky.com\/blog\/cyber-immunity-and-ai\/\" target=\"_blank\" rel=\"noopener nofollow\">Security by Design<\/a>), implement robust cryptography, and employ other technical controls. For drivers, self-defense options are limited, and heavily dependent on the specific features of their dashcam model. We list them below in order of the most to least radical:<\/p>\n<ul>\n<li>Purchase a model without LTE, Wi-Fi and Bluetooth capabilities. This is the most secure option<\/li>\n<li>Completely disable Wi-Fi, Bluetooth, and other communication features on the dashcam<\/li>\n<li>Disable audio recording and, ideally, physically disable the microphone if possible<\/li>\n<li>Turn off parking mode. This feature keeps the dashcam active at all times to record incidents while the car is parked. However, it drains the car\u2019s battery and, very likely, keeps the Wi-Fi on \u2014 significantly increasing the risk of a hack<\/li>\n<li>Check the available Wi-Fi settings on the dashcam:\n<ul>\n<li>If there\u2019s an auto-shutoff for Wi-Fi after a certain period, set it to the shortest time possible<\/li>\n<li>If you can change the default Wi-Fi password or network name (SSID), be sure to do so<\/li>\n<li>If there\u2019s an option to hide the network name (often referred to as Hidden SSID, Wi-Fi Broadcast Off, or Stealth Mode), enable it<\/li>\n<\/ul>\n<\/li>\n<li>Regularly update your dashcam firmware and its paired smartphone app. This increases the chances that vulnerabilities \u2014 like those described in this article \u2014 will be patched when you install a newer version.<\/li>\n<\/ul>\n<blockquote><p>Modern cars are susceptible to other types of cyberattacks too:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/automotive-security-2025\/54562\/\" target=\"_blank\" rel=\"noopener nofollow\">Highway to\u2026 hacked: cyberthreats to connected cars<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/perfektblue-bluetooth-car-hack\/54159\/\" target=\"_blank\" rel=\"noopener nofollow\">Car hacking via Bluetooth<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/tracking-and-hacking-kia-cars-via-internet\/52497\/\" target=\"_blank\" rel=\"noopener nofollow\">How millions of Kia cars could be tracked<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/car-manufacturers-silently-sell-user-telematics-data\/51245\/\" target=\"_blank\" rel=\"noopener nofollow\">I know how you drove last summer<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/spies-on-wheels-how-carmakers-sell-your-intimate-data\/49341\/\" target=\"_blank\" rel=\"noopener nofollow\">Spies on wheels: how carmakers collect and then resell information<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Researchers have discovered how to connect to someone else&#8217;s dashcam in a matter of seconds, and weaponize it for future attacks.<\/p>\n","protected":false},"author":2722,"featured_media":29772,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2026],"tags":[1032,629,971,282,3901,861,525,1946,43,337,268],"class_list":{"0":"post-29771","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-cameras","9":"tag-cars","10":"tag-connected-devices","11":"tag-cybersecurity","12":"tag-dashcams","13":"tag-hack","14":"tag-hacks","15":"tag-information-security","16":"tag-privacy","17":"tag-sas","18":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/dashcam-hack-botnet-on-the-wheels\/29771\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/dashcam-hack-botnet-on-the-wheels\/29884\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/dashcam-hack-botnet-on-the-wheels\/24964\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/dashcam-hack-botnet-on-the-wheels\/28824\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/dashcam-hack-botnet-on-the-wheels\/30346\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/dashcam-hack-botnet-on-the-wheels\/40964\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/dashcam-hack-botnet-on-the-wheels\/14089\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/dashcam-hack-botnet-on-the-wheels\/54839\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/dashcam-hack-botnet-on-the-wheels\/23451\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/dashcam-hack-botnet-on-the-wheels\/32977\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/dashcam-hack-botnet-on-the-wheels\/29986\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/dashcam-hack-botnet-on-the-wheels\/35693\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/dashcam-hack-botnet-on-the-wheels\/35321\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/cars\/","name":"Cars"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/29771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=29771"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/29771\/revisions"}],"predecessor-version":[{"id":29773,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/29771\/revisions\/29773"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/29772"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=29771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=29771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=29771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}