Exposed debug UART yields root on Kestrel fleet dashcams
A populated, unauthenticated UART header on the RoadEye 5 mainboard drops straight to a root shell, exposing fleet credentials and recorded footage to anyone with brief physical access.
- Vendor
- Kestrel Telematics
- Product
- RoadEye 5 fleet camera
- Severity
- Medium · CVSS 6.4
- Target
- Automotive / fleet
- Disclosed
- Status
- Hardware fix in 2026 production run
Overview
The RoadEye 5 records and uploads fleet telematics. We found a four-pin header beside the SoC carrying a live serial console at 115200 baud.
The console presents an interactive shell with no login prompt, running as root within seconds of power-up.
Impact
An attacker with momentary access to a parked vehicle can extract the device's fleet API token, pull cached footage, and pivot to the backend upload account. Footage confidentiality and fleet-account integrity are both at risk.
Remediation
Kestrel will depopulate the header and gate the console behind a signed challenge in the 2026 production run. Existing units can have the header physically removed during scheduled maintenance.
Disclosure timeline
- Findings sent to Kestrel
- Vendor confirms, plans hardware change
- Coordinated disclosure