A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars, according to a new report from 404 Media.
Nexar is a dashcam company that promotes its products as “virtual CCTV cameras” and offers automatic cloud uploads of critical incidents, AI-driven insights, and real-time road alerts. It offers customers remote video streaming, live GPS tracking, and easy-to-share video-evidence.
Nexar also sells access to reportedly blurred images captured by the cameras and other related data to other companies. Nexar monetizes users’ data and recordings by repackaging them into various products. One of those is the company’s CityStream map which uses recent and blurred images taken by Nexar dashcams, superimposes them on a publicly available map, and annotates things such as yield or speed limit signs, damaged roads, and other hazards.
This level of access and data management should come with a healthy, corporate security stance. But, according to the hacker who breached the company’s systems, Nexar is an absolute privacy nightmare with embarrassing security. Allegedly, it only took the hacker 2 hours to breach Nexar systems, and they stated:
“I would be very surprised if no one (foreign government or just bad actor) wasn’t already tapping their customer data.”
In one clip the hacker provided to 404 Media as proof, a Nexar camera is faced inwards for a car, capturing what appears to be a rideshare driver picking up passengers. Like in many other videos, people’s faces are clearly visible.
Nexar co-founder and CTO Bruno Fernandez-Ruiz told 404 Media in an email that, per Nexar’s privacy policy, users who contribute to the CityStream feature do so with either opt-in—or opt-out—consent, depending on the jurisdiction.
Besides the personal implications, 404Media also mentioned and highlighted some potential national security risks that could be found in the evidence the hacker provided.
The hacker found all the videos on an improperly secured Amazon Web Services (AWS) bucket. An AWS bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There, the hacker found more than 130 TB worth of data.
The hacker were able to access the AWS bucket because embedded in every Nexar dashcam was a key to this database. And this key came with high privileges—too high. These access privileges not only allowed anyone with the key to upload their own camera’s data, but to also access those of everyone else.
Another find by the hacker was a file showing the companies and organizations that Nexar says have had access to the company’s data. According to the document, these include Apple, Microsoft, Amazon, Google, Pokémon Go creator Niantic, transportation companies Lyft and Waymo, the cities of Los Angeles and Austin, the NYPD, and many AI- and logistics-focused companies.
Nexar fixed this issue after being contacted by 404 Media this week, but the level of trust that should be expected from a company that stores dashcam or CCTV images has taken a serious hit.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
Source link
