For decades, satellites, drones, and human spotters have all been part of war’s surveillance and reconnaissance tool kit. In an age of cheap, insecure, internet-connected consumer devices, however, militaries have gained another powerful set of eyes on the ground: every hackable security camera installed outside a home or on a city street, pointed at potential bombing targets.
On Wednesday, Tel Aviv–based security firm Check Point released new research describing hundreds of hacking attempts that targeted consumer-grade security cameras around the Middle East—with many apparently timed to Iran’s recent missile and drone strikes on targets that included Israel, Qatar, and Cyprus. Those camera-hijacking efforts, some of which Check Point has attributed to a hacker group that’s been previously linked to Iranian intelligence, suggest that Iran’s military has tried to use civilian surveillance cameras as a means to spot targets, plan strikes, or assess damage from its attacks as it retaliates for the US and Israeli bombings that have sparked a widening war in the region.
Iran wouldn’t be the first to adopt that camera-hacking surveillance tactic. Earlier this week, the Financial Times reported that the Israeli military had accessed “nearly all” the traffic cameras in Iran’s capital of Tehran and, in partnership with the CIA, used them to target the air strike that killed Ayatollah Ali Khamenei, Iran’s supreme leader. In Ukraine, the country’s officials have warned for years that Russia has hacked consumer surveillance cameras to target strikes and spy on troop movements—while Ukrainian hackers have hijacked Russian cameras to surveil Russian troops and perhaps even to monitor its own attacks.
Exploiting the insecurity of networked civilian cameras is, in other words, becoming part of the standard operating procedures of armed forces around the world: A relatively cheap and accessible means of getting eyes on a target hundreds of thousands of miles away. “Now hacking cameras has become part of the playbook of military activity,” says Sergey Shykevich, who leads threat intelligence research at Check Point. “You get direct visibility without using any expensive military means such as satellites, often with better resolution.”
“For any attacker who is planning military activity, it’s now a straightforward act to try it,” Shykevich adds, “because it’s easy and provides very good value for your effort.”
In the latest example of that recon technique, Check Point found that hackers had attempted to exploit five distinct vulnerabilities in Hikvision and Dahua security cameras that would have allowed their takeover. Shykevish describes dozens of attempts—which Check Point says it blocked—across Bahrain, Cyprus, Kuwait, Lebanon, Qatar, and the United Arab Emirates, as well as hundreds more in Israel itself. Check Point notes it could view attempted intrusions only on networks equipped with its firewall network appliances and that its findings are likely skewed by the company’s relatively larger customer base in Israel.
None of the five vulnerabilities are “complicated or sophisticated,” Shykevich says. All of them have been patched in previous software updates from Hikvision and Dahua and were discovered years ago—one as early as 2017. Yet as with hackable bugs in so many internet-of-things devices, they persist in security cameras because owners rarely install updates or even become aware that they’re available. (Hikvision and Dahua are both effectively banned in the United States due to security concerns; neither company responded to WIRED’s request for comment on the hacking campaign.)
Check Point found that the camera-hacking attempts were largely timed to February 28 and March 1, just as the US and Israel were beginning their air strikes across Iran. Some of the attempted camera takeovers also occurred in mid-January, as protests spread across Iran and the US and Israel made preparations for their attacks. Check Point says it has tied the targeting of the cameras to three distinct groups it believes to be Iranian in origin, based on the servers and VPNs they used to carry out the campaign. Some of those servers, Shykevich notes, have been previously linked in particular to the Iranian hacker group known as Handala, which several cybersecurity companies have identified as working on behalf of Iran’s Ministry of Intelligence and Security.
