IROAD X5 Dashcam MAC Address Spoofing Vulnerability Allows Device Pairing Bypass

A vulnerability exists in the IROAD X5 dashcam that allows attackers to bypass the device pairing process through MAC address spoofing. The dashcam's pairing mechanism relies solely on MAC address verification, which can be exploited by spoofing a MAC address of an already-paired device. This spoofed address can be captured via an ARP scan, enabling unauthorized access to the dashcam.

Impact

Exploiting this vulnerability allows attackers to gain full access to the dashcam, bypassing the official pairing process. This access could be used to manipulate the device or extract data, such as video footage.

Reproduction

To reproduce this vulnerability, first capture the MAC address of an already-paired device using an ARP scan. Then, spoof the MAC address of the attacking device to match the captured address. Once the spoofed MAC address is recognized by the dashcam, it will allow connection without going through the pairing process.