Botnets on wheels: the mass hacking of dashcams

Researchers have discovered how to connect to someone else’s dashcam in a matter of seconds, and weaponize it for future attacks.

How your dashcam can be hacked, and how to protect yourself from the attack

Dashcams, popular in some countries and while illegal in others, are typically seen as insurance in case of an accident or roadside dispute. But a team of Singaporean cybersecurity researchers have a different take. They see offline (!) dashcams as a suitable foundation for… a mass surveillance system — moreover, one that can broaden automatically. They presented the details of their research at the Security Analyst Summit 2025.

The espionage potential of a dashcam

So, how can offline device be used for surveillance? Well, though it’s true that most dashcams aren’t equipped with a SIM card or 4G/5G connectivity — even inexpensive models have Wi-Fi. This allows the driver’s phone to connect to the device through a mobile app to adjust settings, download videos, and for other purposes. And as it turns out, many dashcams allow authentication to be bypassed, meaning a malicious actor can connect to them from their own device and then download the stored data.

An attacker has a lot to gain from this. First, there’s the high-resolution video, which clearly shows license plates and road signs. Some dashcam models also record the car’s interior, and others feature wide-angle lenses and/or rear-facing cameras. Second, dashcams can record audio — primarily conversations — inside the vehicle. Third, these video and audio recordings are tagged with precise timestamps and GPS tags.

Therefore, by downloading data from a dashcam, someone could track the owner’s movements, obtain images of the locations where they drive and park, find out what they talk about in the car, and often get photos and videos of the vehicle’s passengers or people near the car. Naturally, for targeted surveillance, a hacker would need to compromise a specific dashcam, while for mass surveillance, they’d need to compromise a large number of devices.

Attack vectors for dashcams

The researchers began their experiments with a popular Thinkware dashcam, but quickly widenend the scope of the study to include two dozen models from 15 or so different brands.

They discovered many similarities in how the different devices operate. The initial connection is typically made to a Wi-Fi access point created by the dashcam itself, using the default SSID and password from the manual.

Most of the models tested by the researchers had a hardcoded password, allowing an attacker to establish a connection with them. Once connected, a hacker gains access to a familiar setup found in other IoT gadgets: an ARM processor and a lightweight Linux build. The attacker then has a whole arsenal of proven tricks to choose from to bypass the manufacturer’s authentication — designed to distinguish the owner from an unauthorized user. At least one of these methods typically works:

  • Direct file access. While the minuscule web server in the dashcam waits for a client to send a password at the official entry point, malicious requests for direct video downloads often go through without a password check
  • MAC address spoofing. Many dashcams verify the owner’s identity by checking the unique MAC address of their smartphone’s Wi-Fi adapter. The attacker can first intercept this address over the airwaves, and then spoof it in their own requests, which is often enough to establish a connection
  • Replay attack. By simply recording the entire Wi-Fi data exchange between the dashcam and the owner’s smartphone during a legitimate connection, an attacker can later replay this recording to gain the needed permissions

Most online services have been protected against these types of attacks for years if not decades. However, these classic vulnerabilities from the past are still frequently discovered in embedded devices.

To allow users to quickly review recorded files on their phone screen, or even watch a live feed from the camera, dashcams typically run several servers similar to those used on the internet. An FTP server enables quick file downloads, while an RTSP server streams live video, and so on. In theory, these servers have their own password-based security to protect them from unauthorized access. In practice, they often use a default, hardcoded password that’s identical for every unit of that model — a password that can be easily extracted from the manufacturer’s mobile app.

The one-hack-fits-all situation

Why are researchers convinced that these devices can be hacked on a massive scale? Due to two key factors:

  • Just a few popular dashcam models account for the lion’s share of the market. For instance, in Singapore, nearly half of all dashcams sold are from the brand IMAKE
  • Different models, sometimes from different brands, have very similar hardware and software architecture. This is because these dashcam manufacturers source their components and firmware from the same developer

As a result, a single piece of malicious code designed to try a few dozen passwords and three or four different attack methods could successfully compromise roughly a quarter of all dashcams in a real-world urban environment.

In the initial version of the attack, the researchers modeled a semi-stationary scenario. In this setup, an attacker with a laptop would be located at a place where cars stop for a few minutes, such as a gas station or a drive-through. However, further research led them to a more alarming conclusion: everything needed for the attack could be run directly on the dashcam itself! They managed to write code that operates like a computer worm: an infected dashcam attempts to connect to and compromise the dashcams in nearby cars while on the move. This is feasible when vehicles travel at similar speeds, for instance in heavy traffic.

From mass compromise to mass surveillance

The authors of the study didn’t stop at just proving that the hack was possible; they developed a complete system for harvesting and analyzing data. The data from compromised dashcams can be harvested to one central location in two ways: by sending the data directly to the attackers’ computer located at, say, a gas station, or by exploiting the built-in cloud-enabled features of some dashcams.

Some dashcam models are equipped with an LTE module, allowing the malicious code to send data directly to the botnet owner. But there’s also an option for simpler models. For example, a dashcam can have functionality to upload data to a smartphone for syncing it to the vendor cloud, or the compromised device can forward the data to other dashcams, which then relay it to the attacker.

Sometimes, inadequate cloud storage security allows data to be extracted directly — especially if the attacker knows the user identifiers stored within the camera.

The attacker can combine several methods to analyze the harvested data:

  • Extracting GPS metadata from photos and videos
  • Analyzing video footage to detect road signs and recognize text — identifying specific streets and landmarks
  • Using a Shazam-like service to identify music playing in the car
  • Leveraging OpenAI models to transcribe audio and generate a concise summary of all conversations inside the vehicle

The result is a brief, informative summary of every trip: the route, travel time, and topics that were discussed. At first glance, the value of this data seems limited because it’s anonymous. In reality, de-anonymization isn’t a problem. Sometimes the owner’s name or license plate number is explicitly listed in the camera’s settings. Furthermore, by analyzing the combination of frequently visited locations (like home and work), it’s relatively straightforward to identify the dashcam owner.

Conclusions and defense strategies

The recent revelations about the partnership between Flock and Nexar underscore how dashcams could indeed become a valuable link in a global surveillance and video monitoring system. Flock operates the largest network of automated license plate reader cameras for police in the United States, while Nexar runs a popular network of cloud-connected dashcams designed to create a “crowdsourced vision” of the roads.

However, the mass hacking of dashcams could lead to a much more aggressive and malicious data-harvesting effort, with information being abused for criminal and fraudulent schemes. Countering this threat is primarily the responsibility of vendors, which need to adopt secure development practices (Security by Design), implement robust cryptography, and employ other technical controls. For drivers, self-defense options are limited, and heavily dependent on the specific features of their dashcam model. We list them below in order of the most to least radical:

  • Purchase a model without LTE, Wi-Fi and Bluetooth capabilities. This is the most secure option
  • Completely disable Wi-Fi, Bluetooth, and other communication features on the dashcam
  • Disable audio recording and, ideally, physically disable the microphone if possible
  • Turn off parking mode. This feature keeps the dashcam active at all times to record incidents while the car is parked. However, it drains the car’s battery and, very likely, keeps the Wi-Fi on — significantly increasing the risk of a hack
  • Check the available Wi-Fi settings on the dashcam:
    • If there’s an auto-shutoff for Wi-Fi after a certain period, set it to the shortest time possible
    • If you can change the default Wi-Fi password or network name (SSID), be sure to do so
    • If there’s an option to hide the network name (often referred to as Hidden SSID, Wi-Fi Broadcast Off, or Stealth Mode), enable it
  • Regularly update your dashcam firmware and its paired smartphone app. This increases the chances that vulnerabilities — like those described in this article — will be patched when you install a newer version.

Modern cars are susceptible to other types of cyberattacks too:

  • For all other countries