The list of countries exploiting Internet-connected cameras to give them eyes inside their adversaries' borders continues to expand. What should companies look out for?
Compromised Internet-connected cameras — once the fodder of botnet operators and online voyeurs — have become an important military asset in recent conflicts, with Russian and Ukrainian forces hacking cameras to gather intelligence on the other side, Iran using compromised devices for targeted strikes, and a joint US-Israeli mission reportedly relying on connected cameras for the successful strike on Iran's leader.
In the latest incident, Israel and the US reportedly hijacked Iran's network of traffic cameras, which the government used to surveil protesters and to track the movements of Iranian leader Ayatollah Ali Khamenei prior to targeting him with an air strike, killing him on Feb. 28, according to reports this month by the Financial Times and the Associated Press. Following that attack, Iran responded by increasing its attempts to gain eyes in Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus, according to a report from Israeli cybersecurity firm Check Point Software.
The shift in focus highlights that attacks on IP cameras have evolved, exploiting vulnerabilities and co-opting the connected devices for botnets to much more serious compromises for intelligence gathering, says Noam Moshe, a lead vulnerability researcher with Claroty, a cyber-physical security firm.
"I really do believe that there has been a shift ... to actually exploiting and controlling these devices, both for military and intelligence reasons, [as well as] for propaganda and political division," he says.
Compromising IP cameras used to be an activity limited to demonstrations of lax attack surfaces, the buildout of device-based botnets by cybercriminals, and the invasion of private spaces by hackers. However, the increasing use by nation-states as a cheap way to create a point of presence in an enemy nation underscores that organizations need to take the threat seriously, says Sergey Shykevich, threat intelligence group manager at Check Point Research.
"Access to cameras provides attackers with direct visibility into targeted territories," he says. "The biggest mistake is to leave those cameras unpatched when there are available patches or leaving the default manufacturing credentials."
In addition, as the US and Israel's war with Iran continues, the Iranian government appears to have widened its targeted to include the private sector — a tactic it has used before — as well as industrial controllers, such as SCADA and PLCs, says Claroty's Moshe.
Rather than focus on targeting specific organizations inside countries, Iran's proxies are widening their scans and looking for vulnerable cyber-physical devices — especially IP cameras and industrial control systems — in specific countries, he says.
"We are seeing a big shift to opportunistic attacks, where Iran and other affiliated nations simply look for any exposed device that is affiliated with a specific country," Moshe says. "That increases the likelihood of companies that we [otherwise wouldn't think] of being a target of a nation-state ... essentially being caught in the cost crossfire simply because their assets are exposed and they are inside the wrong 'country.'"
The result is that targeting a specific nation's IP camera infrastructure is relatively uncommon, according to experts.
In addition, camera and Internet of Things (IoT) device makers have become better at securing their products. Instead, the most common insecure devices connected to the Internet are self-managed consumer devices, says Silas Cutler, a principal security researcher at Censys, an Internet intelligence firm.
"Enterprise deployments, such as those found in large organizations or government agencies, are rare, as these are often managed within private networks," he says.
Companies should worry about outdated and shadow technology that is connected to the public Internet, he says. In addition, they should actively scan for known vulnerable cameras and devices in their networks.
If they can detect a compromise, companies do have time to reduce the blast radius of an attack, because in most cases, a hacked device has to be analyzed to be used, says Moshe, who presented four vulnerabilities in Axis cameras at the Black Hat USA session in August.
"It is important to know that, when cameras are found through scanning, it requires time and analysis to prepare before practical use," he says. "Once an attacker finds an exposed camera, further analysis is often required to understand exactly where the camera is monitoring and what information can be obtained from it.”
Defense in depth continues to be the ally of enterprises. Companies should scan their own IP address ranges to find unprotected devices and patch the devices that they do know about, says Check Point's Shykevich.
"To reduce risk, companies should maintain strong cyber hygiene by regularly patching systems and enforcing robust password practices," he says. "In addition, placing IoT devices behind perimeter protections such as firewalls with intrusion prevention capabilities adds an extra layer of defense."
Compromised Internet-connected cameras — once the fodder of botnet operators and online voyeurs — have become an important military asset in recent conflicts, with Russian and Ukrainian forces hacking cameras to gather intelligence on the other side, Iran using compromised devices for targeted strikes, and a joint US-Israeli mission reportedly relying on connected cameras for the successful strike on Iran's leader.
In the latest incident, Israel and the US reportedly hijacked Iran's network of traffic cameras, which the government used to surveil protesters and to track the movements of Iranian leader Ayatollah Ali Khamenei prior to targeting him with an air strike, killing him on Feb. 28, according to reports this month by the Financial Times and the Associated Press. Following that attack, Iran responded by increasing its attempts to gain eyes in Israel, Qatar, Bahrain, Kuwait, the United Arab Emirates, and Cyprus, according to a report from Israeli cybersecurity firm Check Point Software.
The shift in focus highlights that attacks on IP cameras have evolved, exploiting vulnerabilities and co-opting the connected devices for botnets to much more serious compromises for intelligence gathering, says Noam Moshe, a lead vulnerability researcher with Claroty, a cyber-physical security firm.
"I really do believe that there has been a shift ... to actually exploiting and controlling these devices, both for military and intelligence reasons, [as well as] for propaganda and political division," he says.
Compromising IP cameras used to be an activity limited to demonstrations of lax attack surfaces, the buildout of device-based botnets by cybercriminals, and the invasion of private spaces by hackers. However, the increasing use by nation-states as a cheap way to create a point of presence in an enemy nation underscores that organizations need to take the threat seriously, says Sergey Shykevich, threat intelligence group manager at Check Point Research.
"Access to cameras provides attackers with direct visibility into targeted territories," he says. "The biggest mistake is to leave those cameras unpatched when there are available patches or leaving the default manufacturing credentials."
Hacked IP Cameras Offer Eyes on the Inside
While attacks on cyber-physical systems have been considered serious but not necessarily valuable to date — with a few exceptions, such as the Stuxnet attack and the early days of Russia's invasion of Ukraine — the wartime use of IP cameras to aid targeting inside enemy territory and gauge the damage inflicted following attacks has considerable more value to nation-states.In addition, as the US and Israel's war with Iran continues, the Iranian government appears to have widened its targeted to include the private sector — a tactic it has used before — as well as industrial controllers, such as SCADA and PLCs, says Claroty's Moshe.
Rather than focus on targeting specific organizations inside countries, Iran's proxies are widening their scans and looking for vulnerable cyber-physical devices — especially IP cameras and industrial control systems — in specific countries, he says.
"We are seeing a big shift to opportunistic attacks, where Iran and other affiliated nations simply look for any exposed device that is affiliated with a specific country," Moshe says. "That increases the likelihood of companies that we [otherwise wouldn't think] of being a target of a nation-state ... essentially being caught in the cost crossfire simply because their assets are exposed and they are inside the wrong 'country.'"
The result is that targeting a specific nation's IP camera infrastructure is relatively uncommon, according to experts.
In addition, camera and Internet of Things (IoT) device makers have become better at securing their products. Instead, the most common insecure devices connected to the Internet are self-managed consumer devices, says Silas Cutler, a principal security researcher at Censys, an Internet intelligence firm.
"Enterprise deployments, such as those found in large organizations or government agencies, are rare, as these are often managed within private networks," he says.
Legacy, Shadow Devices at Risk
Legacy devices that are inadvertently connected to the Internet are the most common reason that a camera may be exposed to compromise, Cutler says. In addition, many governments provide some access to traffic cameras for public benefit, and that could also lead to compromise.Companies should worry about outdated and shadow technology that is connected to the public Internet, he says. In addition, they should actively scan for known vulnerable cameras and devices in their networks.
If they can detect a compromise, companies do have time to reduce the blast radius of an attack, because in most cases, a hacked device has to be analyzed to be used, says Moshe, who presented four vulnerabilities in Axis cameras at the Black Hat USA session in August.
"It is important to know that, when cameras are found through scanning, it requires time and analysis to prepare before practical use," he says. "Once an attacker finds an exposed camera, further analysis is often required to understand exactly where the camera is monitoring and what information can be obtained from it.”
Defense in depth continues to be the ally of enterprises. Companies should scan their own IP address ranges to find unprotected devices and patch the devices that they do know about, says Check Point's Shykevich.
"To reduce risk, companies should maintain strong cyber hygiene by regularly patching systems and enforcing robust password practices," he says. "In addition, placing IoT devices behind perimeter protections such as firewalls with intrusion prevention capabilities adds an extra layer of defense."