i-Drive Dashcams Hard-Coded Credentials Vulnerability

A vulnerability exists in i-Drive dashcam models i11 and i12, affecting firmware versions up to 20250227. This issue involves hard-coded credentials within the application's APK, which can be exploited on the physical device. The vulnerability allows unauthorized access to the dashcam's settings and video footage by exploiting default credentials that are exposed in plaintext.

Impact

Exploitation of this vulnerability allows for unauthorized access to the dashcam's network, settings, and video footage. The hard-coded credentials can be used to bypass the device's authentication mechanism, leading to unauthorized access and control over the device.

Reproduction

To reproduce this vulnerability, connect to the dashcam's Wi-Fi network. Once connected, send a crafted command containing 'TibetList' and the default credentials for settings access to port 9091. The same can be done for port 9092, using the separate set of default credentials for streaming access.