IROAD Dash Cam FX2 HTTP and RTSP Unauthenticated Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the IROAD Dash Cam FX2, affecting versions prior to 20250308. The issue arises from an unknown function in the HTTP/RTSP component, specifically within the file '/mnt/extsd/event/'. This vulnerability allows for unauthorized access to sensitive files and video recordings, with the attack needing to be initiated from within the local network.

Impact

Exploitation of this vulnerability allows for unauthorized access to stored video recordings and live video feeds. The accessed recordings can be converted from JDR format to MP4, and the RTSP stream on port 8554 can be viewed in real-time, all without the owner's knowledge. This poses significant privacy risks, including exposure of location data embedded in the recordings.

Reproduction

To reproduce this vulnerability, connect to the IROAD Dash Cam FX2's WiFi network using the default password. Once connected, access the dash cam's HTTP server at 'http://192.168.10.1/mnt/extsd/event/' to download unencrypted video recordings. Additionally, the RTSP stream on port 8554 can be accessed without authentication to view live footage.