Is Someone Watching? How Hackers Access Your Security Cameras — and How to Stop Them

This article was published by Jazz Cyber Shield.

If you’ve ever worked with IP cameras, you know the convenience of remote access. But that same convenience is often a security nightmare. When we deploy networked devices, we are essentially extending our internal network to the public internet—often without realizing the attack surface we’re exposing.

How are these cameras getting compromised? It’s rarely "hacker-movie" level sophisticated. It’s almost always misconfiguration.

The Anatomy of an IP Camera Breach

Most modern breaches of IoT devices boil down to a few common patterns in our network stack:

• Default Credential Stuffing: Many manufacturers ship devices with hardcoded or default credentials. Automated botnets scan the IPv4 space, targeting standard ports (like 80, 8080, and 554) with dictionary attacks. If you haven't changed the default admin:admin, you are in the logs.
• Exposed UPnP/Port Forwarding: UPnP (Universal Plug and Play) is the enemy of security. It allows devices to automatically punch holes in your NAT firewall. A compromised camera on your network can then become an entry point for lateral movement into your internal servers.
• CVE Exploits in Firmware: Security cameras are essentially running stripped-down Linux distros. Many vendors stop pushing security patches after a year or two. If an exploit (like a buffer overflow in the RTSP stream handler) is published on Exploit-DB, any unpatched camera becomes an easy target.

Hardening Your Network Perimeter

As developers and IT professionals, we should approach IoT security with a "Zero Trust" mindset.

• VLAN Isolation: Never put your cameras on the same network as your workstation or NAS. Place them in a dedicated IoT VLAN and use firewall rules (ACLs) to ensure they can only reach the internet via a specific gateway, never your internal LAN.
• Kill Port Forwarding: Disable port forwarding immediately. If you need remote access, use a VPN (WireGuard or Tailscale). Tunneling into your network keeps your management interface private.
• Disable UPnP: Check your router settings. If UPnP is enabled, disable it. Manually manage your port mapping if absolutely necessary—but ideally, don't map anything at all.
• Outbound Filtering: Configure your firewall to block all outbound traffic from your cameras except to the manufacturer's update server or your NVR (Network Video Recorder). A camera shouldn't be "phoning home" to random servers in other regions.

Closing the Loop

IoT security isn't "set and forget." It’s an ongoing maintenance task. By treating these cameras as untrusted devices on your network, you drastically reduce your risk profile.

Have you audited your IoT network recently? Let’s talk about your preferred way to segment untrusted hardware in the comments.