SecTor 2025 | DriveThru Hacking: Now with Delivery

The video presents a research project titled “Drive‑Thru Hacking: Now with Delivery,” demonstrating how dash‑cam devices can be compromised when a vehicle stops at a drive‑through. The team, led by Benjamin So and colleagues, scanned over 1,000 Wi‑Fi SSIDs in Singapore, purchased more than 20 dash‑cams from 16 brands, and built an automated tool that discovers, authenticates, extracts, and exfiltrates video footage within the brief window a car spends in a drive‑through lane.

Their findings show that eight‑in‑ten dash‑cams are installed, many manufactured in Asia, and a majority share identical hardware and firmware. Fifteen of the twenty‑two tested units shipped with the same default password, and four brands used immutable passwords, making unauthenticated Wi‑Fi access trivial. The researchers also uncovered unprotected API ports, unauthenticated upload endpoints, and hard‑coded credentials that enable full root control, video download, and even remote battery sabotage.

Notable demonstrations include spoofing a trusted device’s MAC address to bypass pairing, using port‑knocking on custom API ports (7778/7779) to retrieve video and audio streams, and uploading a CGI web shell to gain root on model K. They also highlighted a misconfiguration where dash‑cam mobile apps expose live feeds to anyone, revealing owners’ routes, home addresses, and private conversations.

The work underscores a systemic lack of security hygiene in the dash‑cam market, where cost and video quality are prioritized over authentication and firmware integrity. Manufacturers face urgent pressure to enforce unique passwords, secure OTA updates, and disable default Wi‑Fi access, while consumers should treat dash‑cams as potential attack vectors that can compromise personal privacy and vehicle safety.