Networked civilian infrastructure has long been a target of military intelligence operations, but the proliferation of cheap, poorly secured Internet-connected cameras has extended that principle to the street level — and into active combat planning.
Tel Aviv–based security firm Check Point released research this week describing hundreds of attempts to hijack consumer-grade security cameras across the Middle East, with many of those attempts timed to coincide with Iran‘s recent missile and drone strikes on targets in Israel, Qatar, and Cyprus. According to the announcement, Check Point has attributed a portion of the campaign to hacker groups it believes are Iranian in origin, including one — known as Handala — that multiple cybersecurity firms have previously linked to Iranian intelligence.
The targeting pattern suggests Iran’s military attempted to use civilian surveillance cameras to observe targets, coordinate strikes, or assess damage. It would not be the first party to do so. The Israeli military reportedly accessed nearly all traffic cameras in Tehran and, in partnership with the CIA, used that access to guide the air strike that killed Ayatollah Ali Khamenei. In Ukraine, officials have warned for years that Russia has exploited consumer cameras to target strikes and monitor troop movements, while Ukrainian hackers have done the same to Russian forces.
“Now hacking cameras has become part of the playbook of military activity,” says Sergey Shykevich, who leads threat intelligence research at Check Point. “You get direct visibility without using any expensive military means such as satellites, often with better resolution.” He adds that for any actor planning military activity, attempting camera access has become “a straightforward act… because it’s easy and provides very good value for your effort.”
How the Campaign Worked
Check Point identified five distinct vulnerabilities targeted in cameras manufactured by Hikvision and Dahua — both of which are effectively banned in the United States over security concerns. None of the five flaws are technically complex, according to Shykevich, and all have been patched in previous software updates, with one first disclosed as early as 2017. They remain exploitable because device owners rarely apply available updates.
The firm documented dozens of blocked intrusion attempts across Bahrain, Cyprus, Kuwait, Lebanon, Qatar, and the United Arab Emirates, alongside hundreds more in Israel. Check Point notes that its visibility is limited to networks running its own firewall appliances and acknowledges its findings skew toward Israel, where its customer base is proportionally larger. Neither Hikvision nor Dahua responded to requests for comment.
Timing and Attribution
The bulk of the camera-targeting activity clustered around February 28 and March 1, as US and Israeli air strikes against Iran were beginning. A separate cluster occurred in mid-January, coinciding with protest activity inside Iran and early preparations for those attacks. Check Point tied the attempts to three distinct groups based on the servers and VPNs used to execute the campaign.
The pattern across Iran, Israel, Russia, and Ukraine points to a consistent operational logic: networked civilian cameras offer military-grade reconnaissance at minimal cost and technical complexity. Consumer IoT security practices — specifically, the near-universal failure to apply firmware updates — have made that calculus straightforward for any actor willing to exploit it.
Photo by Efe Burak Baydar on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
