CRW

Home Wiki

BlackVue

View on consumerrights.wiki ↗

Contents10
  1. Consumer impact summary
  2. Background
  3. Incidents
  4. GPS location broadcasting (2018—)
  5. Firmware security vulnerabilities
  6. Cloud subscription tier removal (January 2025)
  7. Mandatory app registration (March 2025)
  8. Products
  9. See also
  10. References


BlackVue
Basic information
Founded 2007
Legal Structure Private
Industry Electronics, Automotive
Also known as Pittasoft, Pittasoft Co. Ltd.
Official website https://blackvue.com/

BlackVue is a dashcam brand manufactured by Pittasoft Co. Ltd., a privately held South Korean company founded in 2007.[1] Since 2018, multiple independent security researchers have found that BlackVue's cloud service broadcasts users' real-time GPS locations, live video feeds, and audio to anyone with a free account.[2] Seven CVEs across two product lines remain un-patched or were only acknowledged after public disclosure,[3][4] and in April 2025 Pittasoft began requiring a BlackVue account to use the companion app, removing the ability to access a locally-connected dashcam without an internet login.[5]

Consumer impact summary

  • User privacy: BlackVue Cloud has broadcast users' GPS coordinates, live video, and audio to anyone with a free app account since at least 2018. BlackVue called this "a feature, not a bug."[2]
  • Device security: Seven CVEs (two CVSS 9.8 Critical, two CVSS 8.8 High, one CVSS 7.5 High) across the DR750 and DR590X product lines allow remote firmware backdooring, unauthenticated access to recordings, and hardcoded API secrets. The DR750 vulnerabilities reported in July 2022 remain unpatched.[3][4]
  • User freedom: Since April 2025, the BlackVue companion app requires a BlackVue account to access a locally-connected dashcam. Non-login Wi-Fi Mode was removed.[5]
  • Subscription lock-in: In early 2025, Pittasoft discontinued its "Free Forever" cloud tier and moved all cloud features to paid subscriptions, breaking a promise made to existing customers.[6]

Background

Pittasoft Co. Ltd. was founded on 2 July 2007, in South Korea, by Hyunmin Hur.[1][7] The company initially focused on IP CCTV solutions before pivoting to dashboard cameras. The BlackVue brand launched in 2010 with the DR300, the company's first dashcam.[7] In 2015, Pittasoft introduced BlackVue Over the Cloud, a connected service that allows remote live viewing, GPS tracking, and push notifications through an internet-connected dashcam.[7]

Pittasoft manufactures its dashcams in South Korea.[7] The company is privately held and has not raised institutional funding or executed an IPO.[1]

Incidents

This is a list of all consumer-protection incidents related to this product. Any incidents not mentioned here can be found in the BlackVue category.

GPS location broadcasting (2018—)

Main article: BlackVue GPS location broadcasting

In October 2018, CSO Online reported that BlackVue dashcam owners were unknowingly broadcasting their real-time GPS coordinates, live video, and audio through BlackVue Cloud. The default cloud configuration when enabling the service opted users into public sharing without warning.[8]

Vice journalist Joseph Cox investigated further in January 2020, reverse-engineering the BlackVue iOS app and wrote scripts that collected the GPS locations of every BlackVue user with mapping enabled on the eastern half of the United States every two minutes over a week-long period.[9] The researchers tracked users in Manhattan, Brooklyn, Queens, South Carolina, Hong Kong, China, Russia, the UK, and Germany. A BlackVue spokesperson told Vice that collecting multiple users' GPS coordinates over extended periods "is not supposed to be possible" and claimed the company had updated security measures.[9]

The issue resurfaced in January 2022 when cybersecurity researcher Andy Gill reported the same problem to CyberNews. By downloading the free BlackVue app and registering an account (which required no e-mail verification), anyone could view the GPS locations and live-video feeds of connected dashcams.[2] BlackVue responded that sharing is "opt-in only" and claimed all cameras are set to private by default, but Gill's testing showed GPS access was enabled by default.[2] BlackVue acknowledged that "some information might be misleading" and said it would change the wording.[2]

Gill published his findings in March 2024, two years after originally discovering the issue, because BlackVue had not made any changes. His post included an e-mail exchange with BlackVue UK, in which a representative called the public broadcasting of location, video, and audio "a case of personal choice" and described it as "a mature [feature], having been available for nearly 5 years."[10]

Firmware security vulnerabilities

DR750 (CVE-2023-27746, CVE-2023-27747, CVE-2023-27748)

In July 2022, a security researcher reported three vulnerabilities in the BlackVue DR750-2CH LTE (firmware v1.012_2022.10.26) to Pittasoft. The company was informed but did not issue a patch.[3] The CVEs were published in the National Vulnerability Database on 13 April 2023:

  • CVE-2023-27748 (CVSS 9.8 Critical): The DR750's FOTA (firmware over the air) service on port 9771/TCP performs no authenticity check on uploaded firmware. An attacker on the same network or on the internet (for LTE-connected devices) can upload firmware containing backdoors.[11]
  • CVE-2023-27746 (CVSS 9.8 Critical): The default Wi-Fi passphrase uses only 8 lowercase alphanumeric characters, allowing brute-force cracking.[12]
  • CVE-2023-27747 (CVSS 7.5 High): The dashcam's built-in web server has no authentication, allowing anyone on the network to access live video feeds, download all recordings, and retrieve device configurations.[13]

At the time of disclosure, approximately 300 vulnerable DR750 devices were discoverable online.[3] No official patch has been released.[3]

DR590X (CVE-2025-7075, CVE-2025-7076, CVE-2025-2355, CVE-2025-2356)

On 25 February 2025, a researcher by the user name of geo-chen disclosed four vulnerabilities in the BlackVue DR590X to Pittasoft. The company acknowledged the report on 16 February and accepted the vulnerabilities on 5 March 2025.[4]

  • CVE-2025-7075 (CVSS 8.8 High): An unauthenticated /upload.cgi endpoint allows arbitrary file uploads, including malicious code, when connected to the dashcam's network.[14]
  • CVE-2025-7076: The same upload mechanism allows modification of device configurations, including the ability to disable battery protection and drain the vehicle's battery.[4]
  • CVE-2025-2355: The BlackVue v3.65 Android APK exposes both the BCS_TOKEN and SECRET_KEY in plaintext.[4]
  • CVE-2025-2356: Sensitive API endpoints transmit authentication tokens via GET parameters, exposing them in browser history, referral URLs, and proxy logs. The endpoints allow unauthorized calls to change device settings, including deleting a device from an account.[4]

Cloud subscription tier removal (January 2025)

In January 2025, Pittasoft notified existing BlackVue Cloud users that all cloud services would become subscription-only starting in February 2025, discontinuing a tier the company had previously marketed as "Free Forever."[6] Users reported that BlackVue was still advertising the "Free Forever" plan on its website while sending e-mails notifying customers of the change. One user reported the new subscription cost was $16 per month.[6]

BlackVue Cloud features include remote live view, GPS tracking, two-way voice communication, live event upload, and cloud video backup.[15] The transition to paid-only access means owners of cloud-compatible dashcams who relied on the free tier lost remote access features they had been using since purchasing their hardware.

Mandatory app registration (March 2025)

Main article: BlackVue mandatory app registration

On 13 March 2025, Pittasoft announced that a BlackVue account would be required to use the companion app. The announcement stated that "Non-login Wi-Fi Mode will no longer be available," removing the ability to connect to a locally present dashcam without first creating an account and logging in over the internet.[5]

This was Pittasoft's second attempt to require mandatory registration. In March 2023, an app update required users to log in to access their dashcam. After user complaints on forums and app stores, BlackVue released version 3.42 on 23 March 2023, which added a guest mode for direct Wi-Fi access without login.[16] In 2025, BlackVue removed that guest mode.

Android app version 3.66 (released 1 April 2025) and iOS version 4.0 (released 3 April 2025) implemented the mandatory account requirement.[17] The app's changelog listed "BlackVue account now required" under "Important Changes." An offline mode allows local access after the initial login, but the first login requires an internet connection.[17]

The Android app version 3.66 requests 43 permissions according to APKMirror, rising to 44 permissions in version 4.15.[17] Pittasoft's privacy policy discloses the use of Meta Events Manager, HubSpot Analytics, and TikTok conversion tracking for advertising and analytics purposes.[18]

On the Apple App Store, the app holds a 3.8 out of 5 rating from approximately 2,200 ratings.[19]

Products

BlackVue's current lineup includes:

  • ELITE Series (ELITE 8, ELITE 9, ELITE 10): Premium tier with 4K UHD recording and Sony STARVIS 2 sensors
  • DR970X Series: 4K recording with 8MP Sony STARVIS sensors, available with built-in LTE
  • DR770X Series: Full HD at 60fps, available in 1-channel, 2-channel, and truck variants
  • DR590X Series: Entry-level line
  • BOX Series: Tamper-proof recording unit separate from camera lenses

See also

References

  1. 1.0 1.1 1.2 "=BlackVue Company Profile". Tracxn. 1 Mar 2026. Archived from the original on 20 Apr 2025. Retrieved 19 Apr 2026.
  2. 2.0 2.1 2.2 2.3 2.4 Lapienytė, Jurgita (12 Jan 2022). "BlackVue dash cameras let you track other users; the company says it's a feature, not a bug". CyberNews. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  3. 3.0 3.1 3.2 3.3 3.4 eyJhb (12 Apr 2023). "BlackVue DR750 CVE". GitHub. Archived from the original on 5 May 2023. Retrieved 19 Apr 2026.
  4. 4.0 4.1 4.2 4.3 4.4 4.5 geo-chen (6 Jul 2025). "BlackVue Security Vulnerabilities". GitHub. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  5. 5.0 5.1 5.2 "Discover the Latest BlackVue App Update: Enhanced UI, New Features, and More". BlackVue. 13 Mar 2025. Archived from the original on 28 Jul 2025. Retrieved 19 Apr 2026.
  6. 6.0 6.1 6.2 z_Elektrisk_z (4 Jan 2025). "BlackVue Still Advertising Their "Free Forever" Plan After Notifying All Existing Users BlackVue Cloud Services Will be Subscription Only Starting 02/2025". Reddit. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  7. 7.0 7.1 7.2 7.3 "About Us". BlackVue. Archived from the original on 8 Jan 2025. Retrieved 19 Apr 2026.
  8. Ms. Smith (2 Oct 2018). "BlackVue dashcams share cars' mapped GPS locations, stream video feeds and audio". CSO Online. Archived from the original on 4 Oct 2023. Retrieved 19 Apr 2026.
  9. 9.0 9.1 Cox, Joseph (16 Jan 2020). "This App Lets Us See Everywhere People Drive". Vice. Archived from the original on 22 Nov 2024. Retrieved 19 Apr 2026.
  10. Gill, Andy (15 Mar 2024). "BlackVue Dashcams - It's not a bug, it is a feature". ZephrSec. Archived from the original on 6 Apr 2024. Retrieved 19 Apr 2026.
  11. "CVE-2023-27748 Detail". National Vulnerability Database. 13 Apr 2023. Archived from the original on 18 Feb 2025. Retrieved 19 Apr 2026.
  12. "CVE-2023-27746 Detail". National Vulnerability Database. 13 Apr 2023. Archived from the original on 18 Feb 2025. Retrieved 19 Apr 2026.
  13. "CVE-2023-27747 Detail". National Vulnerability Database. 13 Apr 2026. Archived from the original on 18 Feb 2025. Retrieved 19 Apr 2026.
  14. "CVE-2025-7075 Detail". National Vulnerability Database. 5 Jul 2025. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  15. "BlackVue Over the Cloud". The Dashcam Store. Archived from the original on 22 Feb 2026. Retrieved 19 Apr 2026.
  16. Triggerfish (15 Mar 2023). "New Blackvue App 2023: HORRID". DashCamTalk. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
  17. 17.0 17.1 17.2 "BlackVue 3.66 APK". APKMirror. 1 Apr 2025. Archived from the original on 9 May 2025. Retrieved 19 Apr 2026.
  18. "BlackVue Privacy Policy". Iubenda. 18 May 2025. Archived from the original on 3 Dec 2025. Retrieved 19 Apr 2026.
  19. "BlackVue on the Apple App Store". Apple. Archived from the original on 20 Apr 2026. Retrieved 19 Apr 2026.
Filed under