TL;DR

Security cameras, IoT, and OT devices that are meant to protect us, are easily compromised and turned against defenders, enabling nation-state reconnaissance (Iranian hacks on Hikvision/Dahua cameras during strikes, Russian webcam abuse in Ukraine), espionage via exposed live feeds, ransomware pivots (Akira group bypassing EDR), massive botnets (Mirai/Eleven11bot), and physical disruption. Structural weaknesses like default credentials, poor patching, internet exposure, supply-chain risks and espionage by design makes them ideal attacker tools, especially since they can’t receive endpoint security agents. Zero Trust Connectivity (ZTc) solves this by enforcing network-level Zero Trust: it blocks unauthorized connections before they form, requires no endpoint agents, prevents lateral movement, and supports decentralized deployment with sovereign data custody — giving defenders a powerful way to secure all devices without traditional detection or centralized decryption. In short, the watcher must be properly isolated at the network layer. In cybersecurity, the watcher must be watched most closely of all.

Turning Defense Technology Against the Defenders

We live in an era where security cameras, smart sensors, industrial controllers, other Internet of Things (IoT) and Operational Technology (OT) devices are deployed everywhere—from traffic poles, corporate boardrooms and factory floors to homes and critical infrastructure. They are meant to watch, alert, and protect. Yet when attackers gain control, these very devices become potent weapons in their hands: silent observers feeding real-time intelligence, hidden pivots into protected networks, launchpads for massive distributed denial-of-service (DDoS) attacks, or even tools for physical disruption and espionage.

The problem is structural. Many IoT and OT devices ship with default credentials, receive infrequent (or no) firmware updates, lack proper network segmentation, and are exposed directly to the internet. Even in well managed deployments of IoT and OT, the supply chain threat is an additional attack vector. In cases where defenders patch devices to the latest firmware update, attackers could still be turning their equipment against them by pushing compromised firmware to the devices.

Once breached they grant attackers low-effort footholds. From there, the devices can be repurposed for reconnaissance, lateral movement, data exfiltration, or amplification of larger campaigns. In OT environments, where these devices increasingly converge with IT networks, a single compromised camera or sensor can open the door to industrial control systems (ICS) that manage physical processes. Cyber as a warfare domain could be the area where underfunded or outgunned adversaries can cause the most damage.

Security researchers and government agencies have repeatedly warned against these risks but the threat is no longer theoretical. Adding to the complexity is the problem that no endpoint agent can be deployed on these devices and a single device compromised could be the only potential connection point the attackers need to advance their attack.

In the light of defending against abuse of security cameras, the following are important aspects to consider:

State Actors Weaponize Cameras for Battlefield Intelligence
In March 2026, researchers at Check Point documented hundreds of hacking attempts by Iranian-linked threat actors targeting internet-connected Hikvision and Dahua IP cameras across Israel, Bahrain, Cyprus, Kuwait, Lebanon, Qatar, and the UAE. The attempts were timed to coincide with Iranian missile and drone strikes, suggesting the cameras were being hijacked for real-time reconnaissance—spotting targets, assessing damage, or guiding follow-on kinetic operations. The attackers exploited known vulnerabilities in the cameras’ firmware and used commercial VPNs and VPS infrastructure to scan and compromise devices.

This mirrors earlier Russian tactics. In January 2024, Russian operatives compromised residential webcams in Kyiv, Ukraine, to monitor air-defense systems and critical infrastructure ahead of missile strikes; some feeds were even streamed publicly on YouTube. A May 2025 joint advisory from more than 20 international agencies (including the U.S., UK, Australia, and others) warned of an ongoing Russian GRU campaign that systematically targeted RTSP servers hosting IP cameras at Western logistics and technology firms, primarily to harvest live imagery and metadata from Ukrainian networks.

Exposed Cameras as Everyday Espionage Tools
In June 2025, cybersecurity firm Bitsight identified more than 40,000 security cameras worldwide with live feeds accessible via nothing more than a web browser and an IP address. Many were located in homes, offices, factories, and public spaces; attackers could view interiors, employee movements, or manufacturing processes in real time. Dark-web forums openly discussed tools to locate and abuse these exposures.

Nation State Espionage Interest
Nation States with an interest in espionage are funnelling data in huge quantity to be processed and harvested for information. Especially concerning China, a myriad of reports show concrete evidence of automatic “phoning home” behavior, persistent data exfiltration even when cloud features are disabled, and specific incidents of communication with China-based servers. This aligns with broader concerns under China’s National Intelligence Law, which requires companies to assist state intelligence efforts.

IoT Cameras as Ransomware Springboards
In early 2025, the Akira ransomware group demonstrated a particularly creative pivot. After endpoint detection and response (EDR) tools blocked their Windows-based encryptor, attackers gained remote shell access to an unsecured Linux-based IP webcam on the victim’s network. From the camera they mounted network shares, exfiltrated data, and launched the ransomware payload—bypassing traditional defenses entirely.

Botnet Armies Built from Hijacked Cameras
Compromised IP cameras and network video recorders (NVRs) remain favorite building blocks for massive botnets. In June 2025, the Eleven11bot malware infected roughly 30,000 devices—mostly outdated IP cameras and NVRs—turning them into a coordinated attack infrastructure. Variants of the decade-old Mirai malware continue to evolve, exploiting unpatched flaws such as those in AVTECH cameras as late as 2024–2025.

Critical Infrastructure at Risk
Unpatched vulnerabilities in AVTECH IP cameras—widely used in finance, healthcare, transportation, and other critical sectors—were actively leveraged to spread Mirai-based malware, prompting advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Physical disruption is easily achieved. In July 2025, a cyberattack on the Netherlands’ Public Prosecution Service rendered dozens of speed cameras permanently offline (or at least kept them from being reactivated), demonstrating how compromised camera infrastructure can directly impair law-enforcement capabilities.

These incidents show a clear pattern: attackers no longer need sophisticated zero-days to cause harm. They simply locate the weakest link in the expanding IoT/OT attack surface—often a camera —and repurpose it. The consequences range from privacy violations and espionage to physical-world kinetic support in Cyber War and large-scale service outages.

The good news is that advances in technology does not only provide more leverage to attackers – Defenders also have access to new tools: Enter Zero Trust Connectivity – a new expression of Zero Trust that is implemented on the network level, can disrupt attacks before they could establish a connection. This requires no endpoint agent and does not rely on detecting an attack before the attack could be disrupted. Deployment is decentralized which aids in resilience and facilitates sovereign data custody – meaning there is no centralized data flow or decryption required that has traditionally hindered IoT devices that contain confidential data from being protected by 3rd party security systems.

Defenders must treat every camera, sensor, and OT endpoint with the same rigor as traditional IT assets: enforce strong, unique credentials; implement network segmentation (never expose OT/IoT devices directly to the internet); apply verified patches promptly; monitor for anomalous behavior; and adopt zero-trust principles even for “dumb” devices. The vulnerability protection of ZeroTrust Connectivity without the need to detect intrusions & asset inventory are no longer optional—they are table stakes.

The uncomfortable truth is that the eyes we install to watch over us can just as easily watch for our adversaries. In cybersecurity, the watcher must be watched most closely of all.

Additional Reading:

Purdue 2.0? : Rising to the Challenge to secure OT with Zero Trust Connectivity – The ADAM Blog – ADAMnetworks – Explains the role of Zero Trust Connectivity applied to the protection of OT and Critical Infrastructure

“Wartime Usage of Compromised IP Cameras Highlight Their Danger” – Discusses Iranian, Russian, and other actors exploiting cameras for real-time intelligence in conflicts.

“When Smart Cameras Turn Blind: The Growing Cyber Threat to IoT Security Systems” – Covers vulnerabilities in smart camera infrastructure and attacks like the Netherlands speed camera incident.

“The Hidden Security Crisis: Why Your IoT Devices Are Handing Attackers the Keys to Your Network” – Details the Akira ransomware case using a compromised IP webcam as a pivot.

Healing a Broken Philosophy that Keeps Hurting Healthcare – Explores the vulnerability of IoT technologies and how Zero Trust Connectivity provides a solution for protecting technology debt in IoT-rich environments.

1 post – 1 participant

Read full topic

*** This is a Security Bloggers Network syndicated blog from The ADAM Blog - ADAMnetworks authored by Francois_Driessen. Read the original post at: https://support.adamnet.works/t/when-your-own-eyes-turn-against-you-how-compromised-security-cameras-and-iot-ot-devices-become-tools-for-your-attackers/1532