IROAD Dash Cam X5 and X6 Missing Authentication Vulnerability in API Endpoint
Vulnerability
A critical vulnerability exists in the IROAD Dash Cam X5 and Dash Cam X6 models released prior to March 8, 2025. The issue arises from a missing authentication requirement in the API endpoint, allowing remote access to functionalities that should be protected. This vulnerability could be exploited without any form of authentication, leading to unauthorized actions or access.
Impact
Exploitation of this vulnerability could result in unauthorized access to the dash cam's API, allowing attackers to manipulate settings, access video footage, and disrupt the device's functionality.
Reproduction
The vulnerability can be reproduced by connecting to the dash cam's WiFi network. Once connected, the API endpoints on ports 9091 and 9092 can be accessed without authentication. Port 9091 allows access to the dash cam's settings, while port 9092 provides a live video stream via RTSP.
Remediation
It is recommended to implement restrictive firewall rules to block unauthorized access to the vulnerable API endpoints.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.