Video surveillance vulnerability exposes the "frightening" risks of connected cameras
"It’s deeply unsettling to think of a hostile stranger spying on us through the webcams and camera phones which surround us."
The average American is caught on camera up to 50 times a day. In more heavily surveilled countries like the UK, that figure is much higher.
When we see a CCTV or security camera pointed at us, there is simply no way to tell who's watching. We can only assume, perhaps naively, that their intentions are good.
Now the exposure of critical vulnerabilities in a widely used surveillance camera system has hammered home the grim fact that threat actors from hostile nations or sinister crime gangs can hijack cameras to snoop on ordinary citizens or steal corporate and government secrets.
Claroty’s Team82 recently uncovered four critical flaws in camera systems operated by a prominent video surveillance firm. Although these bugs are not believed to have been exploited in the wild, their discovery serves as a reminder that our connected infrastructure remains a tempting target for both cybercriminals and nation-state actors.
We've already seen China-linked hackers probing US critical infrastructure and Russian agents hijacking residential cameras in Ukraine, targeting surveillance networks for digital espionage.
Following bans on Chinese technology, products made in the West were meant to be a safer option.
But Claroty found that exploits could grant system-level access on an internal network as well as the ability to control cameras and then secretly snoop on the people (or data) they were pointed at.
Furthermore, Claroty warned that attackers could exploit these security issues to bypass authentication on the cameras and enact pre-authentication remote code execution on compromised devices.
To find out more, we spoke to Noam Moshe, Vulnerability Researcher Team Lead at Claroty, who told us how attackers could hijack feeds, disable entire fleets and even gain access to the networks behind them.
For legal reasons, we have decided not to identify the company, which is a long-established business with global operations and significant annual revenues.
What exactly did Claroty find in the video surveillance firm's systems?
"We investigated a company that is one of the big players in physical security. It specialises in high-end internet protocol (IP) cameras, and it has a particular reputation as a safe alternative following the controversy surrounding Chinese-made surveillance hardware.
"So, in that context, we wanted to investigate just how secure the company's technology is. Much of its infrastructure is underpinned by a proprietary protocol, which handles communication between the client and server applications of the systems which manage its devices and cameras.
"These are much more than basic camera apps. One piece of software is used to configure and manage entire fleets of devices, while another is the central hub for viewing live feeds. You’ll see these solutions deployed in critical locations from hospitals to airports to government buildings, often across multiple sites.
READ MORE: Anthropic shares the criminal confessions of Claude, warns of growing "vibe hacking" threat
"The flaws we found allow for pre-authentication remote code execution – meaning an attacker doesn’t need to log in before taking control. Once exploited, they could watch or hijack live feeds, black out cameras, install backdoors, or even use the server’s privileged position to move deeper into a victim’s network.
"Our internet scans showed over 6,500 servers exposing the vulnerable service online, many in the US, each potentially controlling hundreds or thousands of cameras. Breaching this environment nets an attacker not only access to restricted video, but also a ready-made foothold inside some of the most sensitive networks in the world."
Was this an exploitable vulnerability? What could hackers achieve by targeting it?
"By the time we took our findings public at this year’s Black Hat USA, the vulnerability was closed, thanks to our research. We went through all the proper disclosure processes, and the company involved should be commended for issuing patches as soon as possible.
"But when the team found it, this was very much a real exploit that could be used in the wild, not just a thought experiment or something applicable only in lab conditions.
"The attack chain we discovered started with weaknesses in the protocol itself. In short, a hidden endpoint in a fallback connection method allowed anyone to talk to the service without logging in. Combine that with an unsafe 'deserialization' process – where data sent over the connection is turned into software objects – and it’s possible to feed the server a payload that runs any code you want.
"An attacker could get in through a man-in-the-middle setup, intercepting communications between the company's server and its clients, or simply by scanning the internet for exposed systems using tools like Shodan or Censys. We were easily able to find thousands of accessible networks.
READ MORE: Big Zucker is (still) watching: Can Meta read human emotions using ultrasound?
"Once they have access, the power is enormous: they can push malicious software packages to every camera managed by that server. That means one breach could compromise thousands of devices in multiple locations, all at once.
"Because it uses NTLMSSP (NT LAN Manager Security Support Provider) challenge-and-response in its client-server handshake, connecting to a camera system can reveal the hostname of the computer and any active directory domain it's connected to – making it easier for adversaries to find specific targets.
"Finally, as a pre-auth RCE exploit, there are no logins to detect and no obvious signs for security teams to spot. It’s a stealthy, high-impact route that’s perfect for a targeted attacker – especially one with the patience and resources of a nation-state."
How dangerous is this vulnerability?
"When you talk about camera breaches, people often immediately think of our privacy as individuals. Most of us are going through our daily lives surrounded by webcams and camera phones, and it’s deeply unsettling to think of a hostile stranger spying on us through them.
"And as frightening as that is, there’s an even bigger issue at play with this security flaw. Security cameras are embedded in sensitive environments including airports, hospitals, schools, power plants and government offices. That makes them valuable targets for anyone looking to gather intelligence or disrupt operations.
"We’ve already seen this play out multiple times in recent years. In Ukraine, Russian intelligence hijacked thousands of residential and business cameras to track the movement of troops and supplies.
"In the US, there have been widespread concerns about Chinese-made surveillance devices being exploited for espionage. In the US, the FCC banned the use of Chinese hardware a few years ago, and the UK government enacted a similar ban, but there are still likely to be white-labelled products out there.
"The company we investigated is one of the preferred secure choices to avoid these issues, but its status as a trusted brand doesn’t make it immune to vulnerabilities. The ability to gain thousands of eyes and ears in sensitive and restricted sites has huge appeal to state-backed actors."
How can organisations protect themselves?
"The first step is urgent but should be straightforward: check if your environment includes any affected products and apply patches as soon as possible. Organisations should ideally have an inventory of their assets, allowing them to track them down without too much trouble.
"If this ends up being a challenge, it’s a sign the organisation needs to prioritise gaining full visibility of its infrastructure before they have to deal with a potential zero-day vulnerability.
"The video surveillance company deserves credit here: once we disclosed our findings, it acted quickly and responsibly, producing fixes and communicating clearly with customers. That’s the kind of vendor response organisations should look for.
READ MORE: Workday CRM breach amplifies fears of an alliance between ShinyHunters and Scattered Spider
"Our discovery should be taken as a warning of a wider threat to surveillance assets, regardless of manufacturer: they’re a high-value target to bad actors. I’d urge any business using these kinds of products to check their security status, starting with making sure camera management systems aren’t directly exposed to the internet.
"Many of the 6,500 vulnerable servers we found were publicly reachable, which makes them easy targets. Keep these systems behind firewalls and use VPNs or other secure channels for remote access.
"Network segmentation is also vital. Camera servers shouldn’t sit on the same network as critical business systems, and proper segmentation will limit the scope of lateral movement if they are compromised. Regular penetration testing and vulnerability scanning can help spot weaknesses before attackers do.
"A final takeaway is to remember that physical security devices are also IT assets. If it runs software and connects to networks, it needs the same level of maintenance, monitoring, and risk management as any other part of your infrastructure."
