IROAD Dash Cam FX2 Device Registration Password Bypass Vulnerability

A vulnerability exists in the IROAD Dash Cam FX2 in versions prior to 20250308, allowing local network attackers to bypass the device registration process. The issue arises from the HTTP server's lack of authentication controls, enabling direct access to the server without pairing through the 'IROAD X View' app. Exploitation involves manipulating the Password argument to 'qwertyuiop', the default password, to gain unauthorized access. This vulnerability has been publicly disclosed and could be exploited by an attacker within the same local network.

Impact

Exploitation of this vulnerability allows unauthorized access to the dash cam's HTTP server, bypassing the required device registration. This access is silent, with no alerts triggered on the device, enabling potential further exploitation of the camera's features or data.

Reproduction

To reproduce this vulnerability, connect to the IROAD Dash Cam FX2's WiFi network using the default password 'qwertyuiop'. Once connected, access the dash cam's HTTP server at 'http://192.168.10.1' without going through the official pairing process via the 'IROAD X View' app.