| Titre | IROAD Dashcam Q Series Protection Mechanism Failure |
|---|
| Description | The IROAD Q Series dashcams, which have fixed default wifi passwords, are vulnerable to device-pairing fatigue attacks because of a lack of rate limiting on the device-pairing process.
An attacker connected to the network can flood the dashcam with pairing requests, repeatedly trigging device-pairing voice messages and inducing MFA fatigue. This can pressure drivers on the road into pressing the "Wi-Fi" button, granting the attacker full access for unauthorized control or data extraction.
The POC screenshot in the advistory link shows the device-pairing request being replayed 5 times over a short window, with each replay triggering 3 voice messages broadcasting "Press the WiFi button to register the smartphone". This is then replayed indefinitely until the owner presses the wifi button.
|
|---|
| La source | ⚠️ https://github.com/geo-chen/IROAD-V?tab=readme-ov-file#finding-8---mfa-spam-to-induce-device-pairing-fatigue |
|---|
| Utilisateur | geochen (UID 78995) |
|---|
| Soumission | 24/06/2025 16:06 (il y a 1 Année) |
|---|
| Modérer | 04/07/2025 14:34 (10 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 314905 [IROAD Dashcam Q9 jusqu’à 20250624 MFA Pairing Request déni de service] |
|---|
| Points | 20 |
|---|