From Ukraine to Iran, Hacking Security Cameras Is Now Part of War’s ‘Playbook’
For decades, satellites, drones and human observers are all part of the war surveillance and reconnaissance toolbox. However, in the age of cheap and insecure Internet-connected consumer devices, the military has gained another pair of powerful eyes on the ground: every hackable security camera installed outside a home or on a city street, pointed at potential bombing targets.
On Wednesday, Tel Aviv-based security firm Check Point released a new study detailing hundreds of hacking attempts targeting consumer security cameras in the Middle East, many apparently linked to Iran’s recent missile and drone strikes on targets including Israel, Qatar and Cyprus. These camera hijacking attempts, some of which Check Point attributed to a hacking group previously linked to Iranian intelligence, suggest that the Iranian military has attempted to use civilian surveillance cameras as a way to scout targets, plan strikes or assess the damage caused by its attacks, in retaliation for U.S. and Israeli bombings that have sparked a widening war in the region.
Iran would not be the first to adopt this camera hacking surveillance tactic. Earlier this week, the Financial Times reported that the Israeli military had accessed “nearly all” of the surveillance cameras in the Iranian capital, Tehran, and used them, in partnership with the CIA, to target the airstrike that killed Ayatollah Ali Khamenei, Iran’s supreme leader. In Ukraine, the country’s officials have warned for years that Russia has hacked surveillance cameras to target strikes and spy on troop movements, while Ukrainian hackers have hijacked Russian cameras to monitor Russian troops and perhaps even monitor their own attacks.
In other words, exploiting the insecurity of civilian networked cameras is becoming part of the standard operating procedures of militaries around the world: a relatively cheap and accessible way to monitor a target hundreds of thousands of miles away. “Now camera hacking has become part of the agenda of military activity,” says Sergey Shykevich, who leads threat intelligence research at Check Point. “You get direct visibility without relying on expensive military means such as satellites, often with better resolution. »
“For any attacker planning a military activity, it’s now easy to try it,” Shykevich adds, “because it’s easy and it pays off very well for your effort.”
In the latest example of this reconnaissance technique, Check Point discovered that hackers attempted to exploit five separate vulnerabilities in Hikvision and Dahua security cameras that would have enabled their takeover. Shykevish describes dozens of attempts – which Check Point says it blocked – in Bahrain, Cyprus, Kuwait, Lebanon, Qatar and the United Arab Emirates, as well as hundreds more in Israel itself. Check Point notes that it was only able to detect intrusion attempts on networks equipped with its firewall network devices and that its conclusions are likely skewed by the company’s relatively larger customer base in Israel.
None of the five vulnerabilities are “complicated or sophisticated,” Shykevich says. All were fixed in previous software updates from Hikvision and Dahua and were discovered years ago, including one as early as 2017. Yet, as with hackable bugs in many Internet of Things devices, they persist in security cameras because owners rarely install updates or even realize they are available. (Hikvision and Dahua are both effectively banned in the United States for security reasons; neither company responded to WIRED’s request for comment on the hacking campaign.)
Check Point found that the camera hacking attempts were largely timed to February 28 and March 1, just as the United States and Israel began their airstrikes on Iran. Some camera takeover attempts also took place in mid-January, as protests spread across Iran and the United States and Israel prepared their attacks. Check Point says it has linked the targeting of the cameras to three separate groups it believes to be of Iranian origin, based on the servers and VPNs they used to carry out the campaign. Some of these servers, Shykevich notes, have previously been linked notably to the Iranian hacker group known as Handala, which several cybersecurity companies have identified as working on behalf of the Iranian Ministry of Intelligence and Security.
