Internet-connected cameras have shifted from being primary targets for botnet operators to strategic assets in geopolitical conflicts. Russian and Ukrainian forces have accessed cameras to gather intelligence, while a joint US-Israeli mission reportedly relied on connected cameras prior to a fatal strike on Iran's leader. Furthermore, Iranian actors have leveraged compromised devices for operational support and physical targeting.
Reports including the Financial Times and Associated Press indicate that Israel and the US accessed Iran's traffic camera network. Infrastructure the government used to monitor protesters—to track the movements of Ayatollah Ali Khamenei prior and a February 28 military strike. Following this event, Check Point Software reported that Iranian threat actors increased scanning and access attempts against camera networks in Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus.
This shift demonstrates that unauthorized access to IP cameras has evolved. Instead of merely co-opting devices for botnets, threat actors now prioritize intelligence gathering. Noam Moshe, a lead vulnerability researcher with cyber-physical security firm Claroty, notes a definitive transition toward controlling these devices for military, intelligence, and political purposes.
Sergey Shykevich, threat intelligence group manager at Check Point Research, explains that unauthorized camera access provides threat actors with direct visibility into targeted regions. He advises that leaving cameras unpatched or using default manufacturing credentials remains a primary security gap that organizations must close.
Operational visibility through exposed devices
Historically, unauthorized access to cyber-physical systems was viewed as a serious but somewhat theoretical concern, with notable exceptions like the Stuxnet incident and the early stages of the Ukraine conflict. Today, accessing IP cameras to aid targeting and conduct battle damage assessment offers concrete, immediate value to nation-states.
As regional conflicts persist, Iranian-affiliated actors have broadened their scope to include private sector targets and industrial control systems, such as supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs), according to Moshe. Rather than strictly targeting specific organizations, these proxy groups conduct opportunistic scanning for exposed cyber-physical devices affiliated with particular countries. Organizations may find themselves caught in the geopolitical crossfire simply because their assets are externally exposed.
Security improvements by camera and Internet of Things (IoT) manufacturers have reduced the prevalence of easily accessible enterprise devices. Silas Cutler, a principal security researcher at Censys, points out that enterprise deployments are typically secured within private networks. The most frequently exposed hardware tends to be self-managed consumer devices.
Securing legacy and shadow infrastructure
Legacy devices inadvertently connected to the public internet remain a primary source of exposure. Additionally, public benefit access to municipal traffic cameras can introduce security risks. Cutler recommends that organizations actively inventory their networks for shadow IT and outdated technology connected to the public internet.
When an unauthorized party discovers an exposed camera, they still need time to analyze the feed and determine its operational value. Moshe, who presented research on four vulnerabilities in Axis cameras at the Black Hat USA conference, explains that this analysis phase provides organizations with a window to detect and mitigate the exposure before the feed can be used effectively.
Maintaining defense in depth remains the most reliable strategy for protecting enterprise environments. Shykevich recommends that organizations regularly scan their own IP ranges to identify unprotected devices and apply missing patches. Establishing strong security hygiene, such as enforcing sturdy password policies and placing IoT devices behind firewalls with intrusion prevention capabilities—creates a resilient barrier against opportunistic scanning.