G-Net G-ONX Dashcam Hardcoded Credentials Vulnerability in GNET APK

A vulnerability exists in the G-Net GNET APK version 2.6.2, where hardcoded credentials allow unauthorized access to the dashcam's API endpoints on ports 9091 and 9092. The GNET mobile application includes these hardcoded credentials, which can be exploited once connected to the dashcam's Wi-Fi network. An attacker can send a crafted authentication command to port 9091 to retrieve the dashcam's settings. Port 9092, used for streaming, also has exposed credentials that can be exploited.

Impact

Exploitation of this vulnerability allows unauthorized access to the dashcam's API, enabling attackers to manipulate settings, access live video streams, and retrieve recorded footage. Additionally, the vulnerability could be exploited to drain the vehicle's battery by disabling battery protection features.

Reproduction

To reproduce this vulnerability, connect to the GNET SSID. Once connected, send an authentication command with the hardcoded credentials to port 9091 to access the dashcam's settings. For port 9092, use the separate set of credentials to stream live video from the dashcam.