A hacker accessed Nexar dash camera videos. Users’ privacy concerns run even deeper

A company that makes a popular dash camera has been hacked.

Nexar refers to its products as an “AI driving sidekick,” and is used by drivers who want video evidence in the event of an accident, as well as rideshare drivers concerned about unruly or violent riders.

But as Joseph Cox reports, a hacker was able to access loads of videos from Nexar. Cox is co-founder of 404 Media, a tech investigations website. He joined The Show to talk more about this.

Full conversation

MARK BRODIE: And Joseph, as you reported, this data is not only being stored, but it was also hacked.

JOSEPH COX: Yeah. So not ideal when you have this dash cam in your vehicle, and maybe it’s for your own purposes or whatever. But yes, I reported that a hacker broke into Nexus systems, and what they were able to do was find terabytes of users’ dash cam footage that had been uploaded to the cloud.

The reason the hacker was able to do this — they told me within a couple of hours, they compromised the company. They were able to do this without getting too technical, but there’s basically a digital key inside every single dash cam. And rather than just allowing that individual dash cam to upload its own footage, the key erroneously could basically view everybody else’s footage as well. It could even delete other people’s footage as well. So the hacker was able to use that, log in and see all of this footage collected from people’s dash cams all across the United States.

And the hacker sent some to me. And, you know, it’s sensitive stuff. Obviously, these people did not expect that their conversations probably were being uploaded to a server. They definitely didn’t think a hacker would get them, and they absolutely didn’t think a hacker would then provide their private footage to a journalist as well.

BRODIE: Yeah. So, I mean, it seems like there are clearly some privacy concerns. But as you report, there are also some potential national security concerns in terms of where some of these drivers were taking passengers.

COX: Yeah, the hack by itself would already be the story, of course. But going through the data, the hacker was able to find that one of these people kept driving towards the entrance of the Central Intelligence Agency. And they managed to bring up a few videos, and at one point it shows the person clearly taking their dash camera off the dash and then hiding it, presumably because they’re driving to a sensitive location.

But then in another case, it seems that they didn’t remember to do that. And I’ve seen the video where this person is driving pretty close up to the entrance to the CIA. Now, do our adversaries already know what the CIA looks like? I imagine so, but this is not — it’s not ideal that this data and these images were uploaded to a server that then was apparently very vulnerable to hackers as well.

BRODIE: So what was the hacker trying to do here? What was their motivation for busting into this information and sharing it with you?

COX: So hackers’ motivations can be somewhat complicated. But in this case, it appears that they saw that I wrote an article about Nexar before. After that, the hacker contacted me and said, “Oh, I’ve actually already broken into Nexar, because I found this very serious vulnerability. And I was thinking of doing a responsible disclosure.”

And that is where the hacker basically tells a company, “Hey, there’s something wrong with your systems, you should fix it.” Now, companies don’t always respond when hackers reach out to them. So in my more than 10 years of doing this, it is very common that hackers will come to me because they believe the company is much more likely to fix the issue if a journalist contacts them as well.

Now of course, this person probably still broke the law. They still went in and they did hack these systems, but in their eyes, they’re doing it to protect people. They’re doing it to get this issue fixed. And Nexar did fix the vulnerability after I contacted them for comment.

BRODIE: Yeah, I was curious about what Nexar’s response was. It sounds like they fixed it. Did they seem aware of the fact that this was an issue?

COX: They didn’t seem aware — well, let me rephrase that ever so slightly. So I reach out. I tell Nexar about it. Over the few days that it took to report this story, they do fix the issue.

After publication, I’m actually contacted by another security researcher who I already have a relationship with, and they said they’d actually already warned Nexar a week or so before that. So clearly they should have known about it or potentially could have known about it. But it was only after I contacted them that they actually fixed the issue.

BRODIE: Well, so do users of these dash cams know that their video, that their data is going to be stored on a server somewhere? Is that part of the agreement that they make when they put one of these in their cars?

COX: So, there’s a second part to the story, which is that as well as the hack, there is this public map that you can just go look at on Nexar’s website. It’s publicly available, and it has images from its users’ dash cams. And they do this because Nexar also sells that data. They basically use AI to identify road signs, traffic, that sort of thing. And then they sell it to companies such as Google.

Now again, that’s a public map that has images taken from people’s dash cams. I then reached out to, I think, four or five different Nexar dash cam users, and the three or so who got back to me said they had no idea that this map existed. They had no idea that they have this small camera in their car, and it’s surreptitiously uploading this data to a public map.

That’s already bad enough. And then the Nexar users I spoke to obviously also did not know that the company had been hacked.

BRODIE: Did Nexar, have they said anything about how they will — obviously they fixed the  specific vulnerability that the hacker and the other security expert had found. But have they said anything about maybe changing their notifications or maybe not having that public map anymore, or maybe trying to do something to better protect all this video and all this data?

COX: Nexar haven’t said anything to me about changing the data size of their business, about changing this publicly available map. I think for them, it is probably a sizable part of their business. This hacker also managed to obtain a PDF, which laid out some of the other companies which have interacted with Nexar in some form about potentially buying this data.

And there are companies like Microsoft in there, Google, Apple, even Niantic, which is the maker of the mobile game Pokémon Go. You can see why these companies would probably want traffic or vehicle or camera data. I can’t imagine Nexar is in a rush to stop that side of its business if it believes it’s already disclosed enough to the users. Just the users I spoke to really had no idea.

BRODIE: Yeah, I wonder — not to be too cynical here — but is it too far of a stretch to, if you buy one of these, to assume that the video is going to end up, the data is going to end up somewhere that maybe you’d rather it not?

BRODIE: I think that’s a risk with every application or device that we use nowadays. And honestly, it is exhausting as an ordinary consumer to figure out, “Oh, I’ve just bought this new piece of tech. What do I have to worry about now?” I do this every single day as well.

That being said, even if you assume, “Oh, my dash cam footage is being uploaded somewhere,” I don’t think customers should — or they shouldn’t have to assume — it’s going to be posted on a public map, or it’s going to be vulnerable to hackers.

We all know the data is going to exist somewhere, but I don’t think we should give up and just assume that, “Oh, hackers will get this, at some point.” That being said, the person driving to the CIA clearly knew there was some sort of issue, which is why he kept taking the camera off his dash and hiding it in his car. So he knows that there’s something there.