Anker Roav A1 Dashcam Wifi AP Default Credential Vulnerability

Summary

An exploitable vulnerability exists in the Wi-Fi Access Point feature of the Roav A1 Dashcam running version “RoavA1_SW_V1.9.” A set of default credentials can potentially be used to connect to the device. An attacker can connect to the AP to trigger this vulnerability.

Tested Versions

Anker Roav A1 Dashcam RoavA1_SW_V1.9

Product URLs

<https://goroav.com/products/roav-dash-cam-a1&gt;

CVSSv3 Score

7.1 - CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-798: Use of Hard-coded Credentials

Details

The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that they can toggle settings and download videos from the dashcam, along with a host of other features. In order to do this, users must first enable the “Wi-Fi AP” setting manually on the dashcam, and then connect to the “Roav_A1_” SSID, with the default password of “goroavcam.”

From here, it’s not required that the user changes the default password, although it is an available option. As such, the combination of this default credential and the manual start of the Wi-Fi AP itself serve as the only means of protection from attackers (due to the lack of authentication anywhere else).

Timeline

2018-10-29 - Vendor Disclosure
2018-11-02 - 2nd vendor contact
2018-11-05 - Vendor acknowledged & created ticket reference
2019-01-03 - 60 day follow up; Vendor closed ticket and advised issue under review with Engineering team; Talos requested point of contact for Engineering team
2019-03-06 - 90 + day follow up
2019-03-27 - Final notice of public disclosure
2019-04-18 - Suggested public disclosure date (171 days after initial disclosure) 2019-05-13 - Public Release