Thinkware Dashcam Vulnerability Let Attackers Extract the Credentials in Plain-text
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A series of critical vulnerabilities in Thinkware’s F800 Pro dashcam has revealed systemic security flaws, including the exposure of user credentials in plain text, default authentication bypasses, and insecure data storage practices.
These issues, disclosed between November 2024 and March 2025, highlight risks to millions of devices used globally for personal and commercial vehicle monitoring.
CVE-2025-2120: Plaintext Credential Storage
The most severe flaw, tracked as CVE-2025-2120, allows attackers with physical access to the dashcam to extract Wi-Fi credentials and cloud account details directly from the /tmp/hostapd.conf configuration file.
This file stores sensitive data without encryption, enabling adversaries to compromise both local dashcam connectivity and linked Thinkware Cloud accounts.
Researchers confirmed that the credentials remain accessible even after device reboots, posing a persistent risk to users who park vehicles in public or semi-secure locations.
Attack Vectors and Exploitation
The vulnerabilities intersect to create multi-stage attack scenarios:
Default Credential Exploitation (CVE-2025-2119): Attackers can connect to the dashcam’s Wi-Fi using the factory-default password 123456789, bypassing the mandatory mobile app pairing process.
Once connected, they gain unfettered access to the Real-Time Streaming Protocol (RTSP) feed on port 554 and Telnet services on port 23, enabling live video surveillance or historical footage downloads:
“While performing these actions and downloading the video recordings, there were no sounds activated on the dashcam as well so the victim would not know”, researchers said.
Cloud Account Compromise (CVE-2024–53614): A hardcoded AES-256 decryption key in the Thinkware Cloud APK (v4.3.46) allows man-in-the-middle attackers to decrypt login traffic, exposing cloud credentials and granting access to stored footage.
File System Manipulation (CVE-2025-2121): Adversaries with network access can overwrite firmware or deploy malware via the dashcam’s unprotected file storage system, facilitating persistent backdoors or data destruction:
The combination of these flaws permits attackers to:
Notably, exploits operate silently no visual or auditory alerts notify victims during credential extraction or data exfiltration.
Mitigations
Thinkware acknowledged the APK vulnerability but has not yet addressed the hardware-related CVEs publicly. As interim measures, users should:
These vulnerabilities underscore persistent issues in IoT device security, particularly inadequate credential management and over-reliance on “security through obscurity.”
As of writing, no exploits for these vulnerabilities have been detected in the wild. However, proof-of-concept code for CVE-2025-2121 is publicly available, increasing the likelihood of weaponization.
The cybersecurity community continues to reverse-engineer Thinkware’s firmware to identify additional attack surfaces, with findings expected at the Black Hat Asia 2025 conference.
Microsoft’s January 2025 Patch Tuesday updates, which addressed critical Windows OLE flaws like CVE-2025-21298, demonstrate the contrasting responsiveness between enterprise software and IoT vendors—a disparity that leaves consumers disproportionately vulnerable.
Users must balance dashcam security benefits against potential privacy trade-offs.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Thinkware Dashcam Vulnerability Let Attackers Extract the Credentials in Plain-text
Author: Guru BaranA series of critical vulnerabilities in Thinkware’s F800 Pro dashcam has revealed systemic security flaws, including the exposure of user credentials in plain text, default authentication bypasses, and insecure data storage practices.
These issues, disclosed between November 2024 and March 2025, highlight risks to millions of devices used globally for personal and commercial vehicle monitoring.
CVE-2025-2120: Plaintext Credential Storage
The most severe flaw, tracked as CVE-2025-2120, allows attackers with physical access to the dashcam to extract Wi-Fi credentials and cloud account details directly from the /tmp/hostapd.conf configuration file.
This file stores sensitive data without encryption, enabling adversaries to compromise both local dashcam connectivity and linked Thinkware Cloud accounts.
Researchers confirmed that the credentials remain accessible even after device reboots, posing a persistent risk to users who park vehicles in public or semi-secure locations.
Attack Vectors and Exploitation
The vulnerabilities intersect to create multi-stage attack scenarios:
Default Credential Exploitation (CVE-2025-2119): Attackers can connect to the dashcam’s Wi-Fi using the factory-default password 123456789, bypassing the mandatory mobile app pairing process.
Once connected, they gain unfettered access to the Real-Time Streaming Protocol (RTSP) feed on port 554 and Telnet services on port 23, enabling live video surveillance or historical footage downloads:
“While performing these actions and downloading the video recordings, there were no sounds activated on the dashcam as well so the victim would not know”, researchers said.
Cloud Account Compromise (CVE-2024–53614): A hardcoded AES-256 decryption key in the Thinkware Cloud APK (v4.3.46) allows man-in-the-middle attackers to decrypt login traffic, exposing cloud credentials and granting access to stored footage.
File System Manipulation (CVE-2025-2121): Adversaries with network access can overwrite firmware or deploy malware via the dashcam’s unprotected file storage system, facilitating persistent backdoors or data destruction:
The combination of these flaws permits attackers to:
- Steal sensitive footage of routes, license plates, or driver behavior.
- Impersonate users via compromised cloud accounts.
- Deploy ransomware targeting fleet operators.
- Create denial-of-service conditions by occupying the single-device connection slot (CVE-2025-2122) .
Notably, exploits operate silently no visual or auditory alerts notify victims during credential extraction or data exfiltration.
Mitigations
Thinkware acknowledged the APK vulnerability but has not yet addressed the hardware-related CVEs publicly. As interim measures, users should:
- Change default Wi-Fi passwords immediately.
- Disable Telnet and restrict RTSP access to trusted networks.
- Monitor /tmp/hostapd.conf for unauthorized modifications.
- Upgrade to Thinkware Cloud APK v4.3.47+, which removes the static decryption key.
These vulnerabilities underscore persistent issues in IoT device security, particularly inadequate credential management and over-reliance on “security through obscurity.”
As of writing, no exploits for these vulnerabilities have been detected in the wild. However, proof-of-concept code for CVE-2025-2121 is publicly available, increasing the likelihood of weaponization.
The cybersecurity community continues to reverse-engineer Thinkware’s firmware to identify additional attack surfaces, with findings expected at the Black Hat Asia 2025 conference.
Microsoft’s January 2025 Patch Tuesday updates, which addressed critical Windows OLE flaws like CVE-2025-21298, demonstrate the contrasting responsiveness between enterprise software and IoT vendors—a disparity that leaves consumers disproportionately vulnerable.
Users must balance dashcam security benefits against potential privacy trade-offs.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news
Оригинальная версия на сайте:
