| Title | IROAD Dashcam X series (X5, X6, etc) Missing Authentication |
|---|
| Description | Remotely Dump Video Footage and Live Video Stream
The IROAD X series (X5, X6, etc) dashcam exposes API endpoints on ports 9091 and 9092 that allow remote access to recorded and live video feeds. An attacker who connects to the dashcam’s network can retrieve all stored recordings and convert them from JDR format to MP4. Additionally, port 9092's RTSP stream can be accessed remotely, allowing real-time video feeds to be extracted without the owner's knowledge. This vulnerability results in severe privacy risks, including exposure of location data embedded in recordings. |
|---|
| Source | ⚠️ https://github.com/geo-chen/IROAD#finding-4-remotely-dump-video-footage-and-live-video-stream |
|---|
| User | geochen (UID 78995) |
|---|
| Submission | 03/08/2025 17:25 (1 Year ago) |
|---|
| Moderation | 03/15/2025 19:22 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 299810 [IROAD Dash Cam X5/Dash Cam X6 up to 20250308 API Endpoint missing authentication] |
|---|
| Points | 20 |
|---|