BlackVue GPS location broadcasting

BlackVue GPS location broadcasting is the ongoing exposure of BlackVue dashcam owners' real-time GPS coordinates, live video feeds, & audio to anyone who creates a free BlackVue Cloud account. The issue was first reported publicly in September 2018 by software architect Tim Woodruff, who found that BlackVue's cloud registration process opted users into public location & video sharing by default.^[1] In January 2020, Vice's Motherboard reverse-engineered the BlackVue iOS app & wrote scripts that collected the GPS location of every opted-in user on the eastern half of the United States every 2 minutes.^[2] BlackVue has refused to change the functionality, calling it a feature.^[3]

BlackVue dashcams with LTE modules connect to BlackVue Cloud, a platform operated by Pittasoft Co. Ltd. The cloud service lets owners access live video, GPS location, & speed data from their cameras remotely via a mobile app or desktop viewer.^[1] BlackVue Cloud includes a "World Map" feature that can display a user's location, live video, live audio, & dashcam name publicly to all other BlackVue Cloud users.^[3]

The dispute centers on whether these sharing features are opt-in or opt-out. BlackVue maintains that all public sharing settings are disabled by default & that users must actively choose to share.^[3] Multiple independent security researchers have found the opposite: that the cloud registration process enables GPS access by default, & that the distinction between private GPS access (visible only to the owner) & public World Map visibility is poorly communicated to users.^[1]

In September 2018, software architect Tim Woodruff contacted BlackVue after discovering that the cloud registration process opted users into public GPS & video sharing without clear notification. BlackVue did not respond within a week, so Woodruff went public on Twitter on September 18, 2018.^[1]

BlackVue replied publicly that it had reported the issue internally & that developers were "working on a fix to clarify the dashcam registration process and default privacy settings." Woodruff responded that public sharing should not be the default configuration at all.^[1]

CSO Online's Ms. Smith confirmed Woodruff's findings on October 2, 2018 by downloading the BlackVue Windows Viewer. She observed BlackVue dashcams displayed on a map: orange icons represented cameras broadcasting GPS location, while green icons indicated cameras also broadcasting live video. Woodruff told CSO Online that "broadcasting live video and GPS is the default configuration when you enable the cloud features, which does not notify or warn you in any way that your information will be public."^[1]

Woodruff also demonstrated that if a user disabled the public settings, unregistered their camera, & then re-registered it, the public sharing settings were automatically re-enabled without the user's knowledge.^[1]

In January 2020, Joseph Cox at Vice's Motherboard reverse-engineered the iOS version of the BlackVue app. Motherboard wrote scripts that pulled GPS coordinates from every BlackVue user with mapping enabled on the eastern half of the United States every 2 minutes over a week-long period, collecting data on dozens of customers.^[2]

With the collected data, Motherboard reconstructed several users' daily routines. One user drove around Manhattan during the day, then left for Queens in the evening. Another drove around Brooklyn, parking on a specific block in Queens overnight for several consecutive nights. A third drove a truck across South Carolina. Motherboard also accessed live feeds from users in Hong Kong, China, Russia, the UK, & Germany.^[2]

Lee Heath, an information security professional & BlackVue user, told Motherboard he had no idea about the public sharing capability before receiving the device as a gift. Heath said he wanted the cloud features for event-based upload notifications but was unaware his location could be visible to strangers.^[2]

BlackVue spokesperson Jeremie Sinic told Motherboard that collecting GPS coordinates of multiple users over an extended period "is not supposed to be possible." After Motherboard disclosed its methods, Sinic said developers had "updated the security measures," & several of Motherboard's data requests stopped working.^[2]

In January 2022, cybersecurity researcher Andy Gill reported finding the same issue. CyberNews reported that Gill tested the BlackVue app on both iOS & Android, finding that anyone who downloaded the app & registered a free account (which required no email verification) could view dashcam GPS locations & live feeds on the World Map.^[3]

BlackVue responded to Gill's findings in a 15-comment Twitter thread, stating that sharing of GPS, video, audio, & dashcam name on the World Map "is opt-in only" & that users visible on the map had "shared on purpose."^[3] BlackVue added that it was "extremely unlikely that a user would share their camera's location, name and video accidentally."^[3]

Gill's testing contradicted this claim. CyberNews reported that from Gill's results, GPS access appeared to be enabled by default.^[3] BlackVue acknowledged to CyberNews that "some information might be misleading" & said it would change the wording, but did not commit to changing the default settings themselves.^[3]

On March 15, 2024, Gill published a blog post disclosing his findings after waiting 2 years for BlackVue to act. The post included an email exchange between Gill's friend Colin & a BlackVue UK representative from October 2021. Colin had reported the ability to view anyone's dashcam feed & listen to in-car conversations through a free account. BlackVue UK's response called the feature "a case of personal choice" & described it as "a mature one, having been available for nearly 5 years."^[4]

Gill noted that another researcher, Antisocial Engineer, had also informed BlackVue in November 2020 but received the same response: it was a feature, not a security issue.^[4]

BlackVue's position has remained consistent across all 4 disclosures: the World Map is a feature, not a vulnerability. The company's stated defense rests on 3 claims. First, that all public sharing settings are disabled by default. Second, that users must actively opt in by changing privacy settings. Third, that the cameras visible on the World Map represent a small fraction of total BlackVue Cloud users.^[3]

These claims have been disputed by every researcher who has tested the system. Woodruff documented in 2018 that the registration process enabled public sharing by default & re-enabled it upon camera re-registration.^[1] Gill found in 2022 that GPS access was enabled by default.^[3] BlackVue's own acknowledgment to CyberNews that "some information might be misleading" confirmed the company recognized the opt-in language did not match the user experience. BlackVue's only proposed remedy was to change the wording rather than the default settings.^[3]

After Motherboard's 2020 investigation, BlackVue updated some security measures that blocked bulk data collection scripts, but the underlying World Map feature & its public accessibility persisted.^[4] As of March 2024, Gill confirmed the issue persisted, stating BlackVue "still refuses to fix it."^[4]

BlackVue Cloud's location broadcasting creates a specific risk: anyone with a free app account can identify where a dashcam owner lives, works, & drives. The Vice investigation demonstrated this by tracking individual users to specific residential blocks over multiple nights.^[2] The CSO Online report raised the risk of broadcasting garage interiors, school drop-off locations, & medical facility visits.^[1]

Gill pointed out that many cameras in the World Map showed license plates in the video feed or displayed the vehicle make & model as the camera name, creating what he described as "an easy shopping list of cars to steal."^[3] A free account with no email verification grants access to real-time location, vehicle identification, & routine pattern data for any opted-in camera on the World Map.^[3]

• BlackVue
• Gaia GPS adds feature that opts all users into social media profile and location activity sharing
• Flock Safety Nova uses dark web data for surveillance