Since a joint U.S.-Israeli airstrike killed Iran’s Supreme Leader Ayatollah Ali Khamenei on February 28, scores of Iranian senior officials have also been killed. According to the Associated Press, two anonymous sources—an intelligence official and a person briefed on the operation—said that hacked Iranian surveillance cameras helped plan the initial attack.
Camera hacking has become a recurring feature of modern warfare. Hamas hacked Israeli cameras before the October 7, 2023, attack; Russia has hacked them in Ukraine, and Iran has hacked them in Israel. But the cameras in question are not exotic spy technology. They’re often unremarkable, much like millions of other devices around the world.
Cheap, ubiquitous and always on, cameras are uniquely useful targets. Poorly secured feeds can reveal where officials live, how convoys move and who walked into which building when. And new AI tools can turn that flood of footage into something searchable and operationally useful.
On supporting science journalism
If you’re enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
The most basic vulnerability is simple exposure. Matt Brown, an Internet-of-Things (IoT) security researcher and founder of Brown Fine Security, points out that many cameras are effectively open to anyone with an Internet connection. “If there’s not good security in place, somebody can maybe log in to it and view the video feed,” he says.
Sometimes finding a vulnerable camera is easier than hacking one. The platforms Shodan and Censys are, in essence, Google for the physical Internet: by scanning the Web, they catalog everything from webcams to baby monitors and hospital equipment. “Some cameras don’t require any access,” Brown says. “You can just browse public camera feeds.” Others prompt for a password, but if the user has never changed the manufacturer’s default, an attacker can try a short list of common credentials.
Even when cameras are not openly exposed, their underlying architecture is often deeply flawed. Paul Marrapese, a security researcher from San Jose, Calif., has spent years studying the problem. In 2019 he discovered critical flaws in millions of cameras, baby monitors and doorbells sold under dozens of brand names but built by a small number of Chinese manufacturers using shared software libraries.
Many rely on peer-to-peer (P2P) connections for easy setup: plug it in, enter a unique identifier (UID) and watch your front porch from anywhere. The camera regularly pings central servers to report its location. When a user connects, the server tells them how to reach the device.
But the system has exploitable weaknesses. Marrapese discovered vulnerabilities in firmware used by millions of devices. Using UIDs, he could find specific devices and approximate their locations. He could also intercept connections to them. “You didn’t even need the password,” he says. “If you were able to make the connection through peer-to-peer, there was a vulnerability that you could send over that would just give you full, unrestricted root access on the camera.”
More disturbing is the relay system. When direct Wi-Fi connections fail, some vendors quietly instruct customers’ cameras to serve as relays for other devices. “What you may not realize is your camera may also be volunteering for the vendor’s network to help facilitate other people’s connections,” Marrapese says. Anyone monitoring that relay traffic could intercept passwords and video. The UID burned into each device cannot be changed—not by wiping the firmware or by upgrading it.
High-value targets, however, require breaching closed systems. The scenario that Brown suspects applied in Iran involves cameras on a private network not reachable from the open Internet. “By default, people from the Internet can’t just connect into devices on your home network,” Brown says. Government camera networks are even more locked down. “But once you gain access to that private network—that’s the hard part—then it gets easier,” he says. “Their security model almost assumes bad guys won’t have access and therefore don’t require passwords on the cameras.” It’s a digital drawbridge that, once crossed, reveals a castle with every room unlocked.
To penetrate systems like these, intelligence agencies test enemy hardware in their own labs. Israel, for example, could buy the exact camera models used in Iran and hire researchers with Brown’s skill set to take them apart and find vulnerabilities that no one else knows about.
Brown himself buys devices off eBay or pulls them from e-waste bins. One discovery involved an automated license plate reader—the kind of camera mounted on highway overpasses to catalog passing cars. He reverse-engineered it and found that the cameras broadcast not just video but also vehicle data: license plate, make and model. Searching online, he found more than 150 streaming openly to the Internet. “Those are supposed to be on private networks,” he says, “not where any random person sitting in their house can gain access.”
The vulnerability points to a larger shift: cameras now transmit not only images but also analysis. “When machine learning first rolled out,” Brown says, “they shipped video data back to a data center, and then it was all processed on powerful computers.” Now, thanks to specialized chips, that analysis happens on the camera itself—a concept known as edge computing.
For instance, some surveillance cameras can transmit digital representations of faces along with the video stream, so even if the images are grainy, computer systems can still identify the people in them. A system built to identify dissidents or enforce mandatory hijab rules could, if compromised, give an intruder access to that same stream of data.
When remote hacking fails, intelligence agencies can also tamper with the supply chain. “Intelligence services are known to either become the provider or intercept equipment en route and make malicious modifications,” Brown says. In 2024 Israeli operatives infiltrated Hezbollah’s supply chain and used shell companies to sell members pagers and walkie-talkies rigged with explosives. Cameras seeded with back doors are easy to imagine.
“Cameras are sort of perfect,” Marrapese says. “It’s not only a foothold in the network but you have microphones; you have video. You can, a lot of times, even view previous footage.” As for why they remain so hard to secure: “A lot of it really is the human element. Sometimes it’s just some stupid configuration issue. And then patching can be a nightmare.” Even when patches exist, the logistics of updating millions of scattered cameras are daunting. “Think of any IoT devices in your house,” Marrapese says. “When’s the last time you went and checked if that was up to date? Probably never.”
