IROAD Q Series Dashcams Video Access Vulnerability

A vulnerability exists in IROAD Q Series dashcams, including the Q9 model, allowing unauthorized remote access to recorded video footage and live video streams. This issue arises from the dashcam's API endpoints on ports 9091 and 9092, which can be accessed by users who have connected to the dashcam's Wi-Fi network. The vulnerability exposes not only the video feeds but also sensitive location data embedded in the recordings.

Impact

Exploitation of this vulnerability allows for unauthorized access to video recordings and live streams from the dashcam, posing significant privacy risks by exposing personal location data.

Reproduction

To reproduce this vulnerability, connect to the dashcam's Wi-Fi network. Once connected, access the dashcam's API endpoints on ports 9091 and 9092. Port 9091 can be used to list and download recorded videos, while port 9092 provides access to the live video stream via RTSP.