There is a specific version of this threat that keeps appearing in incident reports, intelligence advisories, and forensic analyses, and it keeps surprising security teams that thought they understood their camera systems.
The pattern goes like this: an organization discovers a network intrusion. During the investigation, analysts trace the initial foothold not to a phishing email or a compromised workstation, but to an IP camera or a smart building sensor. The device was not the intended target. It was the entry point. From there, the attacker moved to systems that actually held the data or access they wanted.
In a separate class of incidents, the discovery is different: the organization’s cameras and IoT devices were not the entry point for an attack against that organization — they were being used to attack someone else. The devices had been silently enrolled in a botnet, their bandwidth and IP addresses used to route malicious traffic. The owner had no idea.
Both threat patterns are well documented. Both are actively being exploited in 2026. And both are products of decisions made when organizations designed, deployed, and maintained their physical security and smart building infrastructure.
The Surveillance System as Attack Vector
IP cameras were among the earliest IoT devices to receive serious security research attention, primarily because they are ubiquitous, they are almost always internet-facing or reachable from internet-facing networks, and they historically shipped with atrocious security defaults.
The Mirai botnet, which in 2016 produced the largest DDoS attack recorded at the time, was primarily composed of compromised IP cameras and DVRs. Many of those devices used default credentials that had never been changed. The attack was not sophisticated — it was a credential stuffing campaign that found millions of devices with factory-default username and password combinations, enrolled them in a botnet, and directed their traffic at targets.
That was 2016. The underlying conditions that made Mirai possible have not been resolved. In 2026, IP cameras remain among the most commonly compromised IoT device categories in enterprise environments, for reasons that go beyond credential hygiene.
Why Cameras Are High-Value Compromise Targets
From an attacker’s perspective, a compromised IP camera inside an organization’s network offers several distinct capabilities that make it more valuable than a compromised generic IoT sensor.
Persistent access. Cameras run continuously, are rarely rebooted, and are infrequently monitored from a security perspective. IT teams monitor server availability and workstation security; camera systems are typically managed by facilities or physical security teams with different tooling, different monitoring cadences, and often different reporting structures. A compromise that lands in the camera system can persist for months without detection.
Network positioning. Security cameras are frequently deployed throughout an organization’s physical space, which means they are connected to network segments that cover a wide range of physical locations. A camera in the server room, the executive floor, or a secure facility area is positioned within the network in a way that may offer access to systems that more restricted network segments would not.
Video access. Beyond the network pivot opportunity, a compromised camera provides the attacker with actual video feeds from inside the target organization. This has been observed in state-sponsored operations: Iranian-linked actors documented by Check Point in early 2026 were targeting Hikvision and Dahua cameras across the Middle East, with timing correlated to military operations. The video access is an intelligence capability in its own right, separate from any network pivot opportunity.
Relay infrastructure. As documented in the April 2026 CISA advisory on China-nexus covert networks, compromised IoT devices including cameras are used as relay nodes — traffic from attacks against other targets is routed through the compromised device, using its legitimate IP address to evade detection and attribution.
The Hikvision and Dahua Problem
Two manufacturers — Hikvision and Dahua — collectively account for a substantial portion of the global IP camera installed base. Both are Chinese state-linked companies. Both have been subjects of significant US government regulatory action.
In 2022, the FCC designated Hikvision and Dahua as national security threats and prohibited the use of federal funds to purchase their equipment. In 2023, additional restrictions were enacted. The concern is twofold: documented firmware vulnerabilities in both product lines, and the national security implications of deploying surveillance infrastructure manufactured by Chinese state-linked companies inside sensitive facilities.
In practice, both manufacturers’ equipment remains widely deployed in commercial buildings, smart offices, and enterprise environments that were built before the regulatory restrictions took effect, or that were deployed without awareness of the national security concerns.
The documented vulnerability history is significant. Hikvision cameras have been subjects of multiple high-severity CVE disclosures, including CVE-2021-36260, an unauthenticated remote code execution vulnerability that received a CVSS score of 9.8 and was added to the CISA Known Exploited Vulnerabilities catalog after evidence of active exploitation. Exploitation of that vulnerability in unpatched cameras was documented into 2024 and beyond.
Dahua has a comparable vulnerability history. Both manufacturers’ devices continue to receive security updates for supported models, but the installed base includes a substantial proportion of devices that are no longer supported, or that are supported but have never been patched in the field.
For organizations with Hikvision or Dahua equipment in their smart office or building security deployments: if those devices are internet-facing, directly or through the camera management platform, and running firmware that is not current, the risk is not theoretical. These specific devices, with specific known vulnerabilities, are being actively exploited.
The Building Automation Pivot
Cameras are the highest-profile IoT pivot threat, but they are not the only one. Building automation systems — HVAC controllers, smart lighting systems, access control panels, elevator management, environmental sensors — present a comparable risk profile with an additional complication: they are often connected to both enterprise IT networks and operational technology networks, creating a potential bridge between the two.
The OT-IT convergence risk in smart buildings is architecturally distinct from the camera risk. A compromised camera is a threat primarily because of its network position and the persistence it offers. A compromised building automation controller is a threat because it may offer access to systems that control physical conditions — temperature, power, physical access — while simultaneously having network connectivity that reaches enterprise IT systems.
Incidents documented in recent years include attackers using compromised building automation systems to establish persistence across IT/OT network boundaries. The building management network — which connects HVAC, lighting, and access control systems — is often less monitored and less hardened than the corporate IT network, making it an attractive lateral movement corridor.
The Niagara Framework, BACnet, and Modbus are among the most commonly used building automation protocols. All were designed for operational reliability in isolated environments and predate the security requirements of internet-connected deployments. All are present in smart office building management systems that now have network connectivity they were not designed to secure.
What Attackers Do After the Camera Compromise
Understanding the post-compromise behavior that security researchers and incident responders have documented helps illustrate why camera security is a network security issue, not just a physical security issue.
Reconnaissance. Compromised cameras are used to map the internal network — identifying connected devices, services, and network topology. From a camera that has direct network access to multiple VLANs, an attacker can conduct reconnaissance that would require separate footholds on a well-segmented network.
Credential harvesting. Cameras connected to Active Directory-integrated video management systems may have credentials stored in configuration files or memory. These credentials are a direct path to enterprise network access.
Lateral movement staging. Compromised cameras in the same network segment as other IoT devices — smart displays, conference room systems, access control panels — can be used to attack those adjacent systems. A compromised conference room display with enterprise calendar integration is a more valuable compromise than a camera with no enterprise system access.
Persistence. Some camera firmware supports persistent implants that survive factory reset. As noted in the NCSC’s guidance accompanying the April 2026 China-nexus advisory, firmware-level persistence is a specific capability of the implants used in state-sponsored campaigns. Organizations assessing potentially compromised camera systems should treat replacement as more reliable than factory reset.
C2 relay. The most prevalent use of compromised cameras in 2026 is as command-and-control relay infrastructure. The camera receives instructions from the attacker’s infrastructure and forwards them to other compromised devices, or relays traffic from attack operations against other targets. The camera’s legitimate IP address and normal-appearing network behavior makes this relay traffic difficult to detect without specific behavioral monitoring.
Detection Indicators
Unlike endpoint compromises, camera and IoT device compromises often leave traces in network behavior rather than host-based indicators. Security teams should monitor for:
Unusual outbound connections. Cameras and building automation devices have defined communication patterns — they connect to management servers, cloud platforms, and NTP services. Traffic to unexpected IP ranges, particularly high-volume outbound connections or connections to known botnet infrastructure IPs, is an indicator of compromise.
Internal scanning behavior. A camera conducting network reconnaissance will generate connection attempts to hosts and ports outside its normal operational profile. Network flow monitoring with baseline behavior profiling can detect this.
Authentication anomalies. Cameras integrated with directory services generate authentication events. Unusual authentication activity from camera system service accounts, particularly outside business hours, warrants investigation.
Configuration changes. Unauthorized firmware updates, changed administrator credentials, or modified network settings are indicators that a device has been accessed by someone other than the legitimate administrator.
Architecture Recommendations
The structural fix for the camera-as-attack-vector problem is network isolation. Cameras and building automation systems should not have network connectivity to enterprise systems except through defined, monitored integration points. This means:
- Dedicated IoT/OT network segments with VLANs for cameras, building automation, and other device categories
- No direct routing between IoT segments and enterprise IT segments; integration traffic should pass through application-layer gateways where it can be inspected
- Internet access restrictions for IoT devices — cameras and building automation controllers that do not require direct internet access should not have it; cloud management access can be proxied through controlled egress points
- Manufacturer update access should be explicitly whitelisted rather than permitted by default; all other outbound traffic from IoT segments should be logged and anomalies reviewed
For organizations with Hikvision, Dahua, or other high-risk camera equipment: if replacement is not immediately possible, isolate those devices to a dedicated segment with outbound internet access blocked, and implement monitoring for the behavioral indicators described above. The risk is not eliminated, but it is substantially contained.
The cameras were installed to improve physical security. Leaving them unmanaged on the corporate network inverts that purpose.
This article is provided for informational purposes only and does not constitute legal advice.
