DVR as a "spy in the cabin": large-scale data leak of Nexar

DVR as a "spy in the cabin": large-scale data leak of Nexar

The Nexar story is not just another company being hacked, but an illustration of how household devices are turning from assistants into sources of threats.
A camera on the windshield, which was supposed to protect drivers on the roads, suddenly showed the world the other side of digital progress: privacy turns out to be an illusion if the manufacturer stores data without proper control.

How the leak happened

Nexar built an image around itself as a technology pioneer. It offered users not just a video recorder, but part of a huge network of “virtual cameras.” The devices transmitted data to the cloud, which could then be used in the company’s products — for mapping tasks or analyzing road conditions, for example.

A hacker attack exposed the weak point of this concept. More than 130 terabytes of video recordings and geotags ended up in the hands of the attackers. Among the files are the most mundane scenes: a child in the back seat, a passenger singing along to the radio, a video call. What a person considered personal turned into a corporate resource.

The hacker provided 404 Media journalists with evidence: the access key built into the devices allowed uploading and downloading not only one’s own data, but also other people’s. In essence, each buyer of the recorder had a hacking tool in their hands.

DVR as a "spy in the cabin": large-scale data leak of Nexar

Who could have obtained this data?

Nexar's internal documents included a list of companies and organizations associated with the products:

Apple, Google, Microsoft, Amazon ;
transportation giants Lyft and Waymo ;
developer Niantic (creator of Pokémon Go);
municipalities of Los Angeles and Austin;
IDF structure designated as the recipient of the data in Israel.

Some companies denied active cooperation, some spoke about tests and experiments. But even such explanations do not remove the main question: why do private devices collect arrays of information that are potentially accessible to third-party structures?

The Virtual Cam service occupies a special place . It allowed you to select a point on the map and rewind time to see what happened on the street a week or a month ago. This is no longer a security function, but a surveillance tool that, in the hands of the state or a corporation, turns into a surveillance "time machine".

Why is it dangerous?

What happened to Nexar exposes the vulnerability of the entire concept of “smart” devices:

The vulnerability was fixed only after pressure from journalists.

The records contained strategically important objects.

The device owners had no idea that their trips were becoming part of the open CityStream map.

The hacker himself noted that it took two hours to hack the system , which does not speak to the skill of the attacker, but to the weakness of the defense.

Precedents in other areas

Nexar is just the tip of the iceberg. Stories like this are happening more and more often:

In 2021, hackers gained access to the servers of Verkada , a CCTV camera manufacturer. Tesla factories, hospitals, prisons, and even schools were among those affected.

Amazon's Alexa smart speakers have been in the news more than once for recordings of user conversations that were accidentally sent to third parties.

In 2022, iRobot Roomba robotic vacuum cleaners were “lit up” with a scandal: pictures from the devices’ cameras taken in bathrooms and bedrooms ended up in the hands of contractors who trained the neural network.

All these examples show one thing: the line between a “convenient gadget” and a “surveillance tool” is becoming thinner and thinner.

What awaits the market

Forecast for 1-2 years:

Devices that collect data will become the focus of regulators. Cybersecurity standards for the IoT segment are already being discussed.

Companies will be forced to implement “transparent protocols” – showing users exactly what data they collect and to whom they transfer it.

Users will become more critical about purchasing smart technology. The slogan "we'll make your life more convenient" will sound weaker and weaker without security guarantees.


By Jake Sullivan
September 08, 2025

Join us. Our Telegram: @forexturnkey
All to the point, no ads. A channel that doesn't tire you out, but pumps you up.
FX24

Author’s Posts