3.3 Low
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
30.6%
An exploitable vulnerability exists in the Wi-Fi Access Point feature of the Roav A1 Dashcam running version “RoavA1_SW_V1.9.” A set of default credentials can potentially be used to connect to the device. An attacker can connect to the AP to trigger this vulnerability.
Anker Roav A1 Dashcam RoavA1_SW_V1.9
<https://goroav.com/products/roav-dash-cam-a1>
7.1 - CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-798: Use of Hard-coded Credentials
The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that they can toggle settings and download videos from the dashcam, along with a host of other features. In order to do this, users must first enable the “Wi-Fi AP” setting manually on the dashcam, and then connect to the “Roav_A1_” SSID, with the default password of “goroavcam.”
From here, it’s not required that the user changes the default password, although it is an available option. As such, the combination of this default credential and the manual start of the Wi-Fi AP itself serve as the only means of protection from attackers (due to the lack of authentication anywhere else).
2018-10-29 - Vendor Disclosure
2018-11-02 - 2nd vendor contact
2018-11-05 - Vendor acknowledged & created ticket reference
2019-01-03 - 60 day follow up; Vendor closed ticket and advised issue under review with Engineering team; Talos requested point of contact for Engineering team
2019-03-06 - 90 + day follow up
2019-03-27 - Final notice of public disclosure
2019-04-18 - Suggested public disclosure date (171 days after initial disclosure) 2019-05-13 - Public Release
3.3 Low
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
30.6%