For cybercriminals and nation-state actors, IP cameras are the gift that keeps on giving. Internet-exposed, with default credentials intact and unpatched vulnerabilities, they’ re easily exploited to gain initial network access or be conscripted into botnets. The current war in the Middle East has turned another tactic into standard operating procedure: weaponizing cameras on any building or street for pre-strike surveillance, real-time targeting and post-strike bomb damage assessment (BDA). As free infrastructure that’s there for the taking, it was only a matter of time.
IP cameras became widespread in cityscapes in the 2000s. They’re easy to locate and easy to hack, or not: many have unauthenticated video feeds that allow anyone who knows the IP address to anonymously view the live feed. Their ground-level position provides more useful angles and views than satellites and high-altitude drones and, with a few more skills, those angles can be customized via remote control execution.
Multiple widely cited reports confirm that IP cameras are being weaponized on all sides of the current war. Check Point Research and the Financial Times (subscription required) document the use of strategically positioned security and traffic cameras throughout the Middle East, and Wired has published a definitive account of how hacked security cameras have risen to prominence in military arsenals.
Nozomi Networks tracks the widespread use of IP cameras within the region and across the globe. Of the more than 1 million devices that Nozomi monitors through anonymized data feeds, around 8% are IP cameras. Of those, just over 10% of detected cameras were Hikvision.
IP Cameras in the Israel-U.S. War on Iran
According to the Financial Times, years before the current escalation, Israel had hacked nearly all of the traffic cameras in Tehran, an extensive network that Iran used for civilian surveillance to quell dissent. Leading up to February 28, Israel used the data feeds to build pattern-of-life models for top bodyguards and, with the CIA, ultimately target the air strike that killed Ayatollah Ali Khamenei and other top Iranian officials. This source of real-time data was just one of hundreds of intelligence feeds, but it was pivotal.
Tel Aviv-based Check Point continuously tracks attempts to hack and use Israeli infrastructure, including IP cameras, by Iran-nexus threat actors. Researchers saw the first sharp spike in mid-January, during the violent crackdown of anti-regime protests in Tehran that Iran feared Israel and the U.S. would exploit. Six weeks later, following the assassinations on February 28, a larger spike hit cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus and Lebanon — the same countries that have been hit by Iranian missiles. The hacking attempts continued through March 1, just as the U.S. and Israel began air strikes on Iran.
Most Compromised Targets: Hikvision and Dahua Cameras
According to Check Point, Iran targeted cameras from Hikvision and Dahua with five CVEs, including one from 2017. Patches for all of the CVEs had long been available but apparently never applied. (Ambiguous ownership of IoT devices, including IP cameras, is notoriously problematic.) One of the Hikvision vulnerabilities (CVE-2021-3626; command injection) grants an attacker full root access to control the device. Note that Hikvision and Dahua devices are banned in the U.S. due to security concerns.
Finding vulnerable cameras in a desired location is easy. For example, using the Shodan or Censys search engines, attackers can quickly identify cameras with unauthenticated video feeds. Using Dahua cameras as an example, in a March 10 blog post intended to help device owners find internet-exposed cameras before attackers do, Censys identified more than 6,808 unauthenticated Dahua camera feeds exposed to the internet globally.
Origin Stories: Weitzmann Institute and Ukraine
While the weaponization of IP cameras for warfare activities may be more widespread now, it’s been previously documented three times.
- Onset of Russian invasion of Ukraine, February 2022: Although not issued until May 2025, a joint cybersecurity advisory signed by more than 20 international agencies warned that since February 2022, Russian military unit 26165 (known as APT 28 and Fancy Bear) had hacked thousands of IP cameras near Ukrainian border crossings, military installations and rail stations as part of a broader campaign to track the movement of aid from Western logistics and technology companies.
- Russian missile assault on Kyiv, January 2024: Immediately following the assault, the Secret Service of Ukraine (SSU) dismantled some 10,000 webcams that could be used to adjust missile attacks, calling on all owners to do the same. In at least one instance, Russian intelligence services had gained remote access to a condominium surveillance camera and changed the angle to adjust their missile strikes.
- Israel-Iran 12-Day War, June 2025: Iran hacked security and street cameras around the Weizmann Institute of Science in Rehovot, Israel, before striking it with a ballistic missile, then monitored the live feeds for BDA.
Not surprisingly, the Ukrainian military has likewise been hijacking Russian cameras to plan attacks and tout their successes.
Nozomi Research on IP Cameras
Nozomi Networks Labs has done extensive research on video surveillance systems and IP cameras, including Dahua in 2022. In addition to building security, these devices are used throughout sectors including oil and gas, power grids, and telecommunications. They’re used to oversee many production processes, providing remote visibility to process engineers but also enabling espionage and cyberattack planning. Our focus is to help our critical infrastructure customers harden their environments. Over the last five years, we’ve discovered dozens of vulnerabilities that permit improper authentication/authentication bypass, command injection, and hard-coded or weak credentials.
Independent of that research, Nozomi Networks tracks the widespread use of IP cameras across the globe. Of the more than 1 million devices that Nozomi monitors through anonymized data feeds, around 8% are IP cameras. Of those, just over 10% of detected cameras were Hikvision.
Vulnerabilities and Threat Actors
While the focus of recent reports has been on Hikvision and Dahua cameras, other vendors have also been observed as targets of scanning activity. The following CVEs have been observed to be part of recent activity.
The follow threat groups have claimed to have compromised cameras or have been observed targeting cameras.
- Muddywater
- Z-Alliance (RUS)
- Morningstar
- Handala Hack
- Radwan Brigade
Recommendations for Securing IP Cameras
Immediate (Urgent)
- Understand your attack surface: Assess your external IP space and internal IoT environment to identify any IP cameras.
- Disconnect exposed IoT: Ensure no IP cameras are directly accessible from the public internet. Transition all remote access to secure VPNs or zero-trust gateways.
- Credential reset: Force a site-wide change of all default and weak credentials on all IoT and industrial devices.
Short-Term (Next 7-30 Days)
- Targeted patching: Prioritize firmware updates for Hikvision and Dahua devices, specifically addressing the CVEs listed above.
- Monitoring and detection: Watch for repeated login failures or unexpected remote logins, as well as cameras initiating unusual outbound connections.
Long-Term (3-6 Months)
- Network segmentation: Isolate the security camera VLAN from OT control and enterprise networks to prevent lateral movement.
- Supply chain audit: Review the origin and security lifecycle of all embedded. systems and sensors. Phase out End-of-Life (EOL) surveillance equipment that no longer receives security updates.
- Integrated threat modeling: Update your risk assessments to treat physical security cameras as a critical part of the cyber-physical attack surface.
The world is more dangerous today. Even private citizens should assume their security cameras may be weaponized for military surveillance or more. While you’re at, secure those nanny cameras and Roombas, too.
