Dash cams may not sit in your front room or link up with the internet in the same way as many connected devices, but that doesn't mean they aren't recording sensitive data. And, importantly, it doesn't mean that they don't need to be equally secure as any internet of things (IoT) device.
If a criminal were able to access the data on a dash cam, they could use it to work out where you live, where you work, what time you usually leave the house and where you go - not to mention being able to delete something incriminating from your recordings.
We assessed a dash cam from each of nine brands - BlackVue, Garmin, Halfords, Kitvision, MiVue, Nextbase, Road Angel, Transcend and Viofo - to see how seriously they took security. Our lab experts posed as wannabe hackers, using every trick in the book to try and gain access.
We found that not a single dash cam we tested offered fully Fort Knox-worthy security, protecting your footage like gold bullion, and some were potential security sieves. Read on for our full findings and what manufacturers are doing about the security risks we identified.
Dash cams record the road ahead of (and sometimes behind) the car so that the driver has usable footage in the event of a collision. The footage can be used by police or insurance companies to determine blame in traffic collisions or cases of dangerous driving.
Recordings are typically saved on an micro-SD card in the dash cam. Some dash cams have a screen where you can playback footage, but the vast majority have a smartphone app which connects over wi-fi to the dash cam, letting you watch the footage on your phone screen instead.
It's this connection where we uncovered our first security issue with some dash cams.
The wireless connection between a dash cam and the smartphone app is usually password protected, but the strength of that password is crucial.
We found that some dash cams from some manufacturers used default passwords that could be easily found or cracked. These included:
Your dash cam doesn't care if you're the owner of the device; it just wants the right password to be entered. So, if a hacker can guess or crack the password, they could access your dash cam data from their smartphone.
Thankfully, we also found that the window for connection is small and a button needs to be pressed on the dash cam before you can connect to it. But while this could make it trickier for a criminal to make the connection, there's no excuse for weak passwords.
Nextbase and BlackVue are examples of how to do this right. BlackVue's default password was complex and difficult to crack, and Nextbase sets up a unique password with every connection, so no amount of internet searching would find it.
Despite the password on Garmin's dash cam being by far the most difficult to access, it has released an update to the affected model to improve the security of its wireless passwords.
Halfords, on the other hand, feels it meets the standards required. It told us: 'As one of the largest retailers of dash cams, we take security very seriously and want to reassure customers that the HDC400 meets all legal standards for security. Having carefully considered all of Which?'s findings and carried out an in depth investigation, we are confident that the security of the HDC400 dash cam and its app is appropriate for the nature of the data it holds.'
We feel that information held on a dash cam, including where you live, where you drive and all the information that can be gleaned from that is sensitive data. There isn't currently a legal standard for security, but that doesn't mean brands shouldn't consistently aim for strong passwords that aren't simple to crack.
We're still waiting to hear from Kitvision, MiVue, Road Angel, Transcend and Viofo.
Whenever data is stored on a device, it should be encrypted to make sure only the user can access it. If data isn't encrypted, then anyone gaining access to a device nefariously can sift through your data as effortlessly as flicking through a magazine.
Encryption effectively scrambles that data and will only unscramble it when it's accessed in the proper way, usually by the user inputting a password.
Of course, it's a bit more complicated than that as there are numerous types of encryption. That's because as soon as security experts release a new, supposedly impenetrable, encryption, hackers are on the case to prove them wrong. Eventually they succeed and the security experts set about creating an even stronger encryption.
Some older forms of encryption have no business being used on a device in 2021. But the dash cams we looked at from Garmin, Halfords and MiVue all used an outdated, weak form of encryption.
Weak encryption means that it's easier for a hacker to turn any information they access on the dash cam itself into something useful. It's like stealing a diary written in your own language versus one written in one you don't understand. Manufacturers should be making it as difficult as possible for anyone but the owner to be able to access this information.
We notified Garmin, Halfords and MiVue about our findings. Garmin has committed to improving the encryption on its device and plans to update its software by the end of July.
Halfords has no plans to improve its encryption, because it doesn't deem the data sensitive enough to warrant it.
MiVue hasn't yet responded.
As well as data on the dash cam itself being encrypted, data being sent between the dash cam and the control app needs to be encrypted, too. Transferring data uses a different type of encryption to the ones used to scramble data on the device itself.
BlackVue and Nextbase had strong encryption on the dash cam itself, so we were surprised to see a lack of protection for data during transfer. A lack of transfer encryption makes it easier for a hacker to intercept data being transmitted between the camera and the app.
BlackVue told us it would be adding improved encryption to make sure data being transmitted from the dash cam was more secure, and Nextbase has already fixed the issue on its dash cams.
Nextbase told us: 'As the market-leading British company, Nextbase is highly conscious of the challenges and risks that come with connected technology. The UK-based team at Nextbase puts customer security and privacy at the forefront in all product innovations, creating intelligent technology that can be trusted.'
While the majority of the dash cams we tested had weak default passwords and a third had poor encryption, some of the issues we found were unique to one dash cam: Viofo's.
Servers can be used to send data, in this case between a dash cam and a phone. If the server isn't configured correctly, as was the case with Viofo's server, then it becomes far too easy to access. If you gain access to a server, you gain access to everything on it. In the case of dash cams that means all your recordings, as well as the ability to change how the dash cam works.
It's worth noting that a server only relates to that one dash cam, so hacking gaining access to one wouldn't let you look at data for all Viofo's dash cams.
We contacted Viofo to make it aware of the problem and ask it to improve the security of its server, but we are yet to hear back.
The good news is that none of these issues are as significant as some we've seen with other devicesand it would still be difficult for a hacker to gain access to data, particularly where the password is not a weak default one.
Because dash cams don't connect to your wi-fi router (they create their own direct wi-fi link between it and a phone), there's no risk of a hacker gaining access to the devices on your home network through a dash cam.
And most dash cams don't radiate a wi-fi signal constantly. A button needs to be pressed on the device for the wi-fi signal to start, or it comes on when the car engine starts. The wi-fi will then only stay on for a few minutes, so the window for a hacker to gain access is small. Plus, they would often need to be very close by or have particular software in order to intercept the data.
While the window for attack is small, it's still a window. It wouldn't take much effort on the part of manufacturers to shut that window entirely, and we think they should.
Our findings show that data privacy and security needs to extend further than your home. Dash cams and similar devices may not connect to your home network, but this isn't an excuse for skipping the fundamentals of internet security - strong encryption, strong passwords and secure infrastructure.
Where we live, where we work, where our children go to school, when we're out of the house and our typical daily routines are personal information, and should be protected by the devices we trust to keep in our cars.
We were heartened to see the responses from Blackvue, Garmin and Nextbase, which all pledged to make their devices as secure as possible. But we want to see other leading dash cam manufacturers acknowledge the sensitivity of the data on these devices and push for the best encryption and password standards possible.
New cybersecurity laws have been introduced by the government to ban exactly the sorts of issues we've found in our dash cam testing, including easy-to-guess default passwords. They will also make it easier to report vulnerabilities with devices and manufacturers will be required to say at the point of sale how long they will support a device with security updates. .
The new laws focus on smartphones, tablets and other devices more easily defined as IoT. However, our testing has shown other devices that don't fit so easily under the IoT umbrella still capture personal data, and should be scrutinised in the same way and subjected to the same laws and regulations.
We'll continue to press the manufacturers of all the dash cams affected. We'll update this story with any further developments.