i-Drive Dashcams Video Stream Access Control Vulnerability

A vulnerability exists in i-Drive dashcam models i11 and i12, all firmware versions prior to 20250227. The issue lies in the video footage and live video stream components, where improper access controls allow remote attackers to access and manipulate video data. The vulnerability is particularly concerning as it can be exploited to dump recorded footage, stream live video, and access sensitive information through the dashcam's settings.

Impact

Exploitation of this vulnerability allows for unauthorized remote access to video recordings and live streams from the dashcam, potentially exposing sensitive information such as location data. Additionally, it could be combined with other vulnerabilities to manipulate the dashcam's settings or disrupt the vehicle's battery.

Reproduction

The vulnerability can be reproduced by connecting to the dashcam's Wi-Fi network. Once connected, an attacker can send a crafted command to port 9091 to enumerate and access video recordings stored on the dashcam's SD card. These recordings can be converted from JDR to MP4 format. To stream live footage, the attacker must open a secondary socket to port 9092 and validate the challenge-response key.