A recent report by 404 Media revealed a serious security breach involving Nexar, a company that makes dashcams and promotes them as “virtual CCTV cameras.” According to a hacker who breached the company’s systems, Nexar’s security was embarrassingly poor. The hacker claimed it only took two hours to gain access to the company’s systems. The breach exposed a massive database of video recordings, which the hacker found on an improperly secured Amazon Web Services (AWS) bucket—a type of cloud storage. In one of the clips provided as proof, a rideshare driver’s camera was pointed inwards, showing passengers with clearly visible faces. This incident raises significant concerns about user privacy and the security of a company that handles such a high volume of sensitive personal data.
In addition to selling dashcams, Nexar also monetizes user data and recordings by repackaging them for other companies. One of these products is the company’s CityStream map, which uses recent, blurred images from its dashcams to annotate publicly available maps with information like street signs and road hazards. While Nexar’s co-founder and CTO stated that users can opt-in or opt-out of data contribution depending on their location, the fact remains that a vast amount of user footage is being collected and repurposed. The hacker’s findings highlight the risks of this business model, particularly when a company fails to implement robust security measures to protect the data it profits from.
The hacker was able to access the AWS bucket because of a significant security flaw: a key with high privileges was embedded in every Nexar dashcam. This key not only allowed cameras to upload their own data but also gave anyone with the key access to everyone else’s recordings. This single, critical vulnerability left more than 130 terabytes of data exposed. The hacker also discovered a document listing companies and organizations that have had access to Nexar’s data. This list included well-known names like Apple, Microsoft, Amazon, and Google, as well as transportation services like Lyft and Waymo, and even law enforcement agencies such as the NYPD.
Although Nexar fixed the vulnerability after being contacted by 404 Media, the breach severely damaged the trust users place in a company that stores such sensitive dashcam and CCTV images. The incident serves as a stark reminder of the importance of strong corporate security, especially for companies that handle large amounts of personal data. The potential for foreign governments or other malicious actors to have already exploited this vulnerability before it was discovered is a serious concern.
If you are a Nexar user or believe you may have been a victim of this or any other data breach, there are several steps you can take to protect yourself. First, check the vendor’s advice for specific instructions. You should immediately change your password, making sure to use a strong, unique one for this account. Enabling two-factor authentication (2FA) is also highly recommended. Be wary of phishing attempts—scammers may pose as the company to get your information. Finally, consider not storing your card details on websites and setting up an identity monitoring service to alert you if your personal information is being traded illegally online.
Reference:
