YI Car Dashcam Unrestricted File Upload, Download, and API Command Vulnerability

A vulnerability in the HTTP server of the YI Car Dashcam, specifically in version 3.88, has been identified. This issue allows improper access control, enabling unrestricted file downloads and uploads, as well as the execution of API commands. Exploitation of this vulnerability could lead to unauthorized modifications of the device settings, such as disabling recording, muting sounds, or performing a factory reset.

Impact

Exploitation of this vulnerability could result in unauthorized access to files on the device, the ability to upload files, and the execution of API commands that modify critical device settings.

Reproduction

To reproduce this vulnerability, connect to a YI Car Dashcam running firmware version 3.88 using default or weak credentials. Once connected, access the HTTP server, which is open for direct interaction without authentication. From there, files can be uploaded or downloaded, and API commands can be sent to change device settings, such as turning off recording or sounds, or resetting the device to factory conditions.