70mai Dashcam Omni X200 Missing Authentication Vulnerability in Pairing Component
Vulnerability
A vulnerability exists in the 70mai Dashcam Omni X200 in versions prior to 20251010, allowing for a bypass of the device pairing authentication mechanism. Users are typically required to physically press the power button to connect the dashcam to the mobile app. However, this vulnerability enables an attacker to connect to the dashcam's network and access the API on port 80 and the RTSP stream on port 554 without any authentication. The lack of authentication on these services facilitates unauthorized access to the dashcam's functionalities.
Impact
Exploitation of this vulnerability allows for unauthorized access to the dashcam's network services, including the live video stream, without the owner's knowledge. This could lead to unauthorized surveillance or monitoring.
Reproduction
To reproduce this vulnerability, connect to the 70mai Dashcam Omni X200's network. Once connected, access the dashcam's API on port 80 or the RTSP stream on port 554. This can be done without pressing the physical power button, which is normally required for authorization.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.