Your dashcam is capturing far more than accidents -- and researchers Alina Tan and George Chen have built an automated tool to prove it, compromising dashcams in under six minutes through a fast food drive-through. This conversation explores how connected vehicle peripherals have become a gateway to privacy invasion, mobile botnets, and a surveillance attack surface that most organizations and consumers are completely unprepared to defend.
⬥EPISODE NOTES⬥
What if the device quietly recording your daily commute could be turned against you in the time it takes to order a burger? That is not a hypothetical -- it is a demonstrated reality. Alina Tan, Security Architect and Co-Founder of HE&T Security Labs, and George Chen, Security Architect for a large global company, have spent years dissecting the attack surface of connected vehicle peripherals. Their research -- presented at SecTor and Black Hat Asia 2025 -- introduces a novel attack technique they call "DriveThru Hacking": an automated method for compromising dashcams through Wi-Fi within a standard drive-through window.
The attack is unsettling in its simplicity. Most dashcams ship with default or easily guessable credentials, and many manufacturers do not even allow users to change them. Within a six-minute exposure window, Alina and George's tool -- DriveThru Hacker -- can discover, connect to, and exfiltrate video, audio, and GPS data from a target dashcam, then use an LLM to stitch together a timeline of the owner's home, workplace, daily routes, and private conversations. The result is a shockingly detailed picture of someone's life, assembled entirely from a device most people never think to secure.
The research goes further than individual privacy. George walks through how 4G/5G-connected dashcams dramatically expand the attack surface beyond physical proximity -- opening doors to remote credential stuffing, API privilege escalation, and web-based attacks on cloud-connected accounts. More alarming still, Alina and George demonstrate how compromised dashcams can be converted into a mobile botnet -- a network of roaming, internet-connected nodes whose reach is not bounded by geography. Unlike static IoT devices, these infected cameras move through cities, near sensitive installations, and into places that are deliberately obscured from public maps.
The conversation also digs into the broader ecosystem: the infotainment network and CAN bus segmentation (or lack thereof), over-the-air firmware update security, the challenge of detection and response when dashcams have no audit logs whatsoever, and what responsible disclosure looked like when contacting over a dozen manufacturers -- most of whom had no dedicated security inbox and some of whom had no contact information at all. Alina and George close with practical hardening recommendations for both consumers and manufacturers, and a look at what intrusion prevention for embedded devices might look like as this research continues.
The connected car conversation has long focused on the vehicle itself. This episode makes the case that the accessories attached to it deserve equal scrutiny -- and that the window to act, like the drive-through line, is shorter than most realize.
⬥GUESTS⬥
Alina Tan, Security Architect and Co-Founder at HE&T Security Labs | Website: https://www.heatsecuritylabs.com/
George Chen, Security Architect for a large global company | On LinkedIn: https://www.linkedin.com/in/geoc/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
⬥RESOURCES⬥
HE&T Security Labs | https://www.heatsecuritylabs.com/
DriveThru Hacking Session (Black Hat Asia 2025) | https://blackhat.com/asia-25/sponsored-sessions/schedule/index.html#drivethru-hacking-45214
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
⬥ADDITIONAL INFORMATION⬥
Redefining CyberSecurity Podcast | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
The Future of Cybersecurity Newsletter | https://itspm.ag/future-of-cybersecurity
Connect with Sean Martin | https://www.seanmartin.com/
⬥KEYWORDS⬥
alina tan, george chen, he&t security labs, sean martin, dashcam security, connected vehicle cybersecurity, iot security, vehicle privacy, drivethru hacking, wi-fi hacking, mobile botnet, automotive cybersecurity, firmware security, over-the-air updates, credential stuffing, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
DriveThru Hacking: When Your Dashcam Becomes the Attack Vector | A Redefining CyberSecurity Podcast Conversation with Alina Tan and George Chen
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is Sean Martin, your host, where hopefully you're joining me because I get to chat with some really cool people about cool topics from all over the world. Today's no exception. We're going to be looking at basically autonomous vehicles, connected vehicles, and the technologies and the ecosystem surrounding them and how they can be exploited -- and how we can be impacted as a society and as individuals if they are. And I'm thrilled to have George and Alina on who presented on this topic. I connected with them via the SecTor event up in Toronto, Canada. George and Alina, it's great to see you. Thanks for being on.
[00:00:48] George Chen: Thanks for having us.
[00:00:49] Sean Martin: Maybe a quick background from each of you -- things you're working on, and whatever role you have. Alina, can we start with you?
[00:00:59] Alina Tan: Yeah, sure. Thanks for having us, Sean. So my name is Alina. I am the co-founder of HE&T Security Labs. I also wear a community hat as well. I do car security in general -- what I'm working on right now is specifically on cars as well, like vehicle infotainment research in general. I like to get my hands dirty on vehicle cybersecurity, on operational technology cybersecurity as well. Yeah, that's about me.
[00:01:40] Sean Martin: That's great. Thanks for getting up early in Japan and joining me for this.
[00:01:45] Alina Tan: Takes a lot, Sean.
[00:01:46] Sean Martin: George.
[00:01:48] George Chen: Hi, I am George Chen from Singapore. I am a security architect doing this for fun, really. No prior background in this specifically. Primarily just a user who one day was trying to connect to my dash cam in my car and accidentally connected to somebody else's who was using a similar model, and that kind of sparked the curiosity to dig deeper.
[00:02:12] Sean Martin: The 'whoops, what did I connect to' moment. That's how a lot of hacking starts, I think. And it's a question of how far and deep you take things -- and doing that ethically and disclosing it properly. I'm curious to hear how the two of you came together and got the presentation put together for SecTor.
[00:02:36] George Chen: I reached out to Alina. Alina happened to work in the same company as I did, but we didn't have any overlap. But I heard about her enthusiasm in car hacking. And so when I saw a topic like this, I reached out to Alina to see whether we wanted to do some form of collaboration -- after all, the dash cam is an extension of the connected car that we see today. If you look at the attack surface, that could be a potential entry point, and it's something she was interested in. So we dove deeper and found that this could potentially be an attack path on different fronts.
[00:03:20] Sean Martin: Yeah, and I'm trying to remember -- I think there were two gentlemen who presented the Jeep hack at Black Hat a number of years ago. And lots has happened since then. Clearly a lot of awareness in the industry that this is real -- it's not just a bunch of kids messing around. There's a lot of potential danger. How aware do you think the industry is now? Do they recognize -- even specifically this dash cam thing that you presented on -- are they familiar with what's going on, or are we just ripe with vulnerabilities and finding as many as we can?
[00:04:08] George Chen: I think it certainly caught the attention of quite a lot of people because from our quick survey of the participants alone, most of them would have used a dash cam. But when we asked, 'have you hardened your dash cam?' -- the answer was generally no. So I think that's why it caught quite a lot of attention: something as basic as a dash cam could prove to be detrimental if compromised. That's our starting angle. It's also interesting to see different kinds of dash cams and different levels of connectedness in different countries, and how exposed the Wi-Fi on those dash cams is. Alina, do you have a take on that?
[00:05:00] Alina Tan: I second George's opinion because I think a lot of people are using dash cams but not a lot of people are looking into securing them. We even had participants come to us saying they didn't know you could actually do that -- even after we had found CVEs on the cameras. So a lot of awareness still needs to be created around dash cameras. For vehicles in general, there has been a lot of research going on since the Jeep Cherokee attacks. One of the upcoming areas might be electric vehicles and charging stations. And autonomous vehicles -- the public needs more awareness on those as well.
[00:06:09] Sean Martin: Can you give an overview of what you did and what you presented? Then I have some follow-up questions on what systems are involved, how they're integrated or separate, and the full ecosystem.
[00:06:31] George Chen: Sure. We started with this new attack technique we call 'DriveThru Hacking' -- where the attacker positions themselves in a drive-through, like a fast food drive-through, and as cars drive through and pick up their food, their dash cameras could be compromised within that five-minute window. We started with a privacy angle: we demonstrated how sensitive the video, audio recordings, and GPS data on dash cameras could be. We did a selective dump -- because of the short window -- and processed it using an LLM to stitch together a timeline of where the car had been, possible home and workplaces, the kinds of conversations on board, the kinds of passengers. By the end of the drive-through, we could show them a kind of dashboard of their life. Just to evoke a response and show how sensitive the recordings could be and how easily we could get access. That was the first part. As we looked deeper, we began exploring putting command-and-control beacons on these dash cameras and turning them rogue -- essentially creating a botnet on wheels. Typically with IoT devices, the reach is fairly limited because they're static. But if you have an infected device that roams around on the road, the reach becomes exponential. We bought another set of cameras -- some with 4G/5G cloud connectivity -- and set up a small lab to test whether we could create a botnet. We recently presented that at a Kaspersky conference as well, showing how a mini botnet can be formed, starting from one single infected camera and then spreading to another seven or eight dash cameras.
[00:08:51] Sean Martin: That's quite something. Alina, I'd like your thoughts on this. I forget how many years ago I spoke to Melanie Ensign, who was part of Uber at one point, and we were looking at the privacy issue specifically in California around driverless cars used as taxis and ride-sharing vehicles. People get in, register for the ride, go home -- and now we're talking about dash cams in these vehicles, where we can see who they are, what they're talking about, when they arrive home. That becomes a very serious privacy issue. There's one thing about an individual buying a dash cam for their own car, but as a passenger sitting in a rideshare or a taxi or even a friend's car, their privacy can be impacted without their consent. Any thoughts from a global, regional, and regulatory perspective?
[00:10:32] Alina Tan: From the Singapore perspective, a lot of users -- even dash cam owners -- when they send data out to the cloud, there's just very small fine print about it, so you're not really sure your data is on the cloud. From our research, George and I actually uncovered that we were able to access public information freely streaming on the cloud. We were able to watch people live on websites -- just discussing things and driving along regular streets. We managed to pull that information and stitch it up into something like a comic strip of people's conversations. That's really concerning. There isn't really any privacy law around that protecting us. Even the laws we have focus mainly on cybersecurity of vehicles -- how to secure them -- rather than specifically on data leakage: your day-to-day conversations, what's happening in your vehicle. You might just get into an Uber, talk about something confidential or personal with a friend, and that information might get out without you knowing, unless you know the brand of the dash camera. I think a lot more needs to be done in terms of awareness and building guidelines and data protection laws around this. And from the cloud-connected portion -- George, do you want to add on that?
[00:12:54] George Chen: Yes. What Alina was alluding to is that on dash cameras with cloud connectivity, there's an option to make them public -- kind of live streaming as you drive. I have no idea why people would want to do that, but that's where we found ride-hailing services turning their dash cams public. What was more concerning was that we saw vehicles used by law enforcement. We saw police officers talking about different things, for instance. We also saw military personnel driving vehicles back into military bases in other countries -- and these are places that are usually masked out on Google Maps because they're restricted areas. Think nation state: this could provide additional visibility into locations they previously didn't have reach to. And if you're compromising the dash cams, these become nodes that can then extend their reach into the network devices around us within the vicinity. As cars get more and more connected, that pressure is increasing, and there's a need to bring up awareness and hopefully work with dash cam manufacturers and car manufacturers together.
[00:14:35] Sean Martin: I'm just thinking through the whole connected botnet thing and taking that around -- and perhaps even inside -- a military base. That could have very serious implications. So the devices themselves that you tested -- were they off-the-shelf commercial devices, or did you also look at integrated systems?
[00:15:09] George Chen: We did a survey on our streets to see which were the top cameras. The top cameras we focused on were not integrated -- they were primarily retrofitted -- because of their features and low price point. Many new cars have them fitted by default because it's required for insurance purposes. We did look into some that came with the car itself, connected to the infotainment system. Alina, do you want to share more about that?
[00:15:48] Alina Tan: Yeah. Those are retrofitted in there. We were still researching the connected part of the items. From our initial look, they seem secured pretty well. There's some form of segmentation so people can't really pivot directly from the dash cameras into the infotainment system and then directly to other individual systems. But that being said, we're still continuing our research. The connectivity is just functional for now -- but the pivoting is a part we're still researching.
[00:16:36] Sean Martin: And it's been a while since I've looked at this, but the infotainment network or bus is typically separate from the CAN bus.
[00:16:48] Alina Tan: Yes, that's right. Most vehicles now handle this pretty well -- the connection between the CAN network and the infotainment network is segregated properly. That being said, with more research, we might uncover different vulnerabilities that could allow lateral movement or pivoting directly from that angle. But it's not easy.
[00:17:23] Sean Martin: Talk to me a bit about 4G and 5G -- and who knows what 6G will bring. Putting things in the cloud is one thing, but having the speed, bandwidth, and everywhere-all-the-time capability of 4G and 5G makes this scale at levels probably not humanly possible to imagine. What does that look like, and is there any role for the network providers to do anything on their end to help?
[00:18:02] George Chen: The attack surface increases drastically when we talk about cloud-based cars or dash cameras. Typically the attack surface of a car is limited to physical proximity -- you need to be near to connect via Wi-Fi or Bluetooth. But when we talk about cloud, everything is connected to a web application, a mobile application. Once protecting it is just a set of credentials, you can remotely start your car, remotely view your feed, see where your vehicle is, and listen to what's going on around your vehicle in the middle of the night. From a threat model perspective, it's no longer just physical proximity. An attacker could be miles away, doing enumeration of usernames to find valid ones, then performing credential stuffing to attempt to access accounts. You also look at web vulnerabilities -- these are after all API calls. Can you, with access to one set of credentials, privilege escalate to access other accounts? These were things we started looking into beyond just the physical proximity angle.
[00:19:49] Sean Martin: What advice did you share at SecTor, and maybe expand on it a bit here? There's the manufacturing and hardware part, the close-proximity network, the cloud-based 4G/5G network, and then the web app, mobile app, cloud app, and all the APIs. Who was the audience and where do you start?
[00:20:42] George Chen: When we did our scan, because of the level of hygiene, we went for the low-hanging fruit: devices with default or weak credentials. If we were to perform brute force in a real drive-through, we need more time, so we tend to go for the low-hanging fruit first. The first thing is credentials -- always change to a secure or longer password. Not many dash cameras offer multi-factor authentication today, but many do offer a device pairing process. If that's available, enable it -- though in our research we found a lot of this could be broken. That's on the manufacturer's side to ensure only the legitimate owner can pair. We also proposed hardening methods at different layers. We explored hardware-based hardening where a user could plug in and run a script to harden the dash camera at Layer 7 and Layer 4 -- blocking certain protocols that aren't used, restricting to certain MAC addresses. That would make the attack flow a lot more restrictive and harder.
[00:22:47] Sean Martin: Anything to add there, Alina?
[00:22:51] Alina Tan: To follow up on the 4G/5G angle -- one segment we often look at from a vehicle perspective, not just dash cameras, is over-the-air updates. How do we secure those? Cellular connectivity needs to be encrypted properly. Firmware has to be signed with digital signatures. A lot more can be done from different perspectives -- securing the connectivity via OTA updates, ensuring the firmware itself is secured by the manufacturer before it gets pushed into the vehicle. That's one part we often overlook in terms of securing the whole connectivity flow.
[00:24:01] George Chen: Speaking of firmware -- some manufacturers release it online, which makes it easy to patch. But it also makes it very easy for researchers to look at the endpoints, because when we open it up, we see hardcoded passwords, and the different APIs being called. That makes reverse engineering a lot easier when you want to dissect and understand what's going on in the network traffic.
[00:24:33] Sean Martin: Yes, it goes back to your authentication point -- and that content should be encrypted before delivery. As we wrap up, I want to get your thoughts on detection and response. Security looks at: how do we find and identify the vulnerabilities, shore them up, put mitigating controls in? Then we follow on with detection and response. There's a lot of money being spent on detection and response in traditional IT environments. Do we have detection and response coming along for the ride in the connected vehicle space, or is only the vulnerability and attack side being served -- no monitoring and response?
[00:25:32] George Chen: That's an interesting area. We did publish a number of CVEs, but how do you scan for those CVEs? How are your scanners going to reach vehicles in the first place and execute a scan? It's not like scanning typical services. Even if an enterprise wants to scan a device, it's going to be challenging -- how do they connect to individual dash cameras? And on detection and response: we looked into the dash cameras and found basically no audit logs on who has logged in. For cloud-connected ones, there may be some server-side logs recording timestamps and IP addresses. But from a camera perspective, the logs are just not present. If there are no logs, it's going to be very hard to detect and respond. It would be great if dash cam owners could see the frequency of logins, get notifications about new device connections -- something as basic as that, with some form of detective controls that can warrant an action. That alone, from a user perspective, would be really valuable.
[00:27:02] Sean Martin: Alina, any thoughts on that or your view of what the future might hold in this space?
[00:27:10] Alina Tan: For the SecTor session, we actually looked into putting an IPS into the dash camera. But with the small amount of space within the dash camera itself, it was quite challenging. It might need additional development work based on the tiny PCB board we have. When we tried experimenting with it, it took up too much resource and affected the operation of the dash camera itself. So it's definitely doable -- it just needs a lot more time to package it into a small package and put it in the camera, because that's something people aren't really focusing on. For vehicles in general, there are really a lot of ideas and commercial solutions out there, and OEM manufacturers have been working with cybersecurity firms to do that. So for the vehicle side, I think we're safer, but for the dash camera side -- hopefully we'll come up with something interesting.
[00:28:37] Sean Martin: It's so cool that you're looking into this and working on things like that. It's certainly needed, and I'm glad you're both working on it and had a chance to present it at SecTor. Hopefully I'll get a chance to meet you in Singapore or Japan at some point, or perhaps at another event where you get together and share more of your findings and thoughts on this topic and others.
[00:29:07] George Chen: Likewise -- looking forward to it.
[00:29:09] Alina Tan: Looking forward to it as well, Sean.
[00:29:12] Sean Martin: Absolutely. Well, thanks again for joining me here. And everybody listening and watching -- thanks for participating in another Redefining Cybersecurity. I'll include a link to connect with George and Alina and a link to their session at SecTor so you can read more about that and perhaps they can share more about the research they've done. Until the next time -- thanks for listening and watching. Stay tuned, subscribe, share with your friends. If you like what you hear, give us a thumbs up on your favorite podcast player. Thanks Alina, thanks George. See you soon.
[00:29:52] Alina Tan: Thank you.
[00:29:52] George Chen: Goodbye. Have a good one.