An app that is supposed to be a fun activity for dashcam users to broadcast their camera feeds and drives is actually allowing people to scrape and store the real-time location of drivers across the world.
BlackVue is a dashcam company with its own social network. With a small, internet-connected dashcam installed inside their vehicle, BlackVue users can receive alerts when their camera detects an unusual event such as someone colliding with their parked car. Customers can also allow others to tune into their camera's feed, letting others "vicariously experience the excitement and pleasure of driving all over the world," a message displayed inside the app reads.
Users are invited to upload footage of their BlackVue camera spotting people crashing into their cars or other mishaps with the #CaughtOnBlackVue hashtag. It's kind of like Amazon's Ring cameras, but for cars. BlackVue exhibited at CES earlier this month, and was previously featured on Innovations with Ed Begley Jr. on the History Channel.
But what BlackVue's app doesn't make clear is that it is possible to pull and store users' GPS locations in real-time over days or even weeks. Motherboard was able to track the movements of some of BlackVue's customers in the United States.
Do you know about a data exposure? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The news highlights privacy issues that some BlackVue customers or other dashcam users may not be aware of, and more generally the potential dangers of adding an internet and GPS enabled device into your vehicle. It also shows how developers may have one use case for an app, while people can discover others: although BlackVue wanted to create an entertaining app where users could tap into each others' feeds, they may not have realized that it would be trivially easy to track its customers' movements in granular detail, at scale, and over time.
BlackVue acts as another example of how surveillance products that are nominally intended to protect a user have been designed in such a way that can end up in a user being spied on, too.
"I don't think people understand the risk," Lee Heath, an information security professional and BlackVue user told Motherboard. "I knew about some of the cloud features which I wanted. You can have it automatically connect and upload when events happen. But I had no idea about the sharing" before receiving the device as a gift, he added.
Ordinarily, BlackVue lets anyone create an account and then view a map of cameras that are broadcasting their location and live feed. This broadcasting is not enabled by default, and users have to select the option to do so when setting up or configuring their own camera. Motherboard tuned into live feeds from users in Hong Kong, China, Russia, the U.K, Germany, and elsewhere. BlackVue spokesperson Jeremie Sinic told Motherboard in an email that the users on the map only represent a tiny fraction of BlackVue's overall customers.
But the actual GPS data that drives the map is available and publicly accessible.
By reverse engineering the iOS version of the BlackVue app, Motherboard was able to write scripts that pull the GPS location of BlackVue users over a week long period and store the coordinates and other information like the user's unique identifier. One script could collect the location data of every BlackVue user who had mapping enabled on the eastern half of the United States every two minutes. Motherboard collected data on dozens of customers.
With that data, we were able to build a picture of several BlackVue users' daily routines: one drove around Manhattan during the day, perhaps as a rideshare driver, before then leaving for Queens in the evening. Another BlackVue user regularly drove around Brooklyn, before parking on a specific block in Queens overnight. The user did this for several different nights, suggesting this may be where the owner lives or stores their vehicle. A third showed someone driving a truck all over South Carolina.
Some customers may use BlackVue as part of a fleet of vehicles; an employer wanting to keep tabs on their delivery trucks as they drive around, for instance. But BlackVue also markets its products to ordinary consumers who want to protect their cars.
BlackVue's Sinic said that collecting GPS coordinates of multiple users over an extended period of time is not supposed to be possible.
"Our developers have updated the security measures following your report from yesterday that I forwarded," Sinic said. After this, several of Motherboard's web requests that previously provided user data stopped working.
In 2018 the company did make some privacy-related changes to its app, meaning users were not broadcasting their camera feeds by default.
"I think BlackVue has decent ideas as far as leaving off by default but allows people to put themselves at risk without understanding," Heath, the BlackVue user, said.
Motherboard has deleted all of the data collected to preserve individuals' privacy.
Subscribe to our cybersecurity podcast, CYBER.