IROAD X5 Mobile App Hard-Coded Credentials Vulnerability

A critical vulnerability exists in the IROAD X5 Mobile App for Android, in versions through 5.2.5. The issue lies within the API endpoint component, where hard-coded credentials are embedded in the application. This vulnerability allows unauthorized access to the dashcam's settings and video streams, posing significant privacy risks. The hard-coded credentials can be exploited remotely, once the user's device is connected to the dashcam's WiFi network.

Impact

Exploitation of this vulnerability allows unauthorized users to access the dashcam's API endpoints, leading to unauthorized control over the device's settings and access to live and recorded video streams. This not only violates the user's privacy but also exposes sensitive location data embedded in the recordings.

Reproduction

To reproduce this vulnerability, connect to the IROAD X5 dashcam's WiFi network. Once connected, send a crafted authentication command using the hard-coded credentials. For access to the dashcam's settings, use the credentials 'adim' and '000000' on port 9091. To access the video stream, use 'admin' and 'tibet' on port 9092.