The Security Service of Ukraine (SSU) is asking the public to cut off live feeds of residential and business surveillance cameras, as Russian hackers have been actively exploiting them as a means of scouting areas that their military intends to attack.
The hackers have reportedly accessed cameras in apartment buildings and parking facilities, and are most interested in those that are near critical infrastructure or air defense systems and can have their viewing angles changed remotely. The agency reports two recent compromises of surveillance cameras in Kyiv ahead of missile attacks on a nearby critical infrastructure facility.
Ukraine’s internet-connected surveillance cameras exploited by Russian hackers
The SSU says that there are about 10,000 WiFi or wireless IP surveillance cameras that have already been blocked to prevent misuse by Russian hackers. The agency is now warning that even an unintentional broadcast of live video or images that could provide intelligence about the country’s defenses or military movements can be considered a criminal charge of “adjustment of enemy fire” that carries a penalty of up to 12 years in prison.
The most recent incident came ahead of a massive missile and drone strike on January 2 that concentrated on Kyiv’s air defenses and utilities. The attack was reported as having left about a quarter of a million of the city’s residents without electricity or an internet connection for some time. In the week following there have been repeated attacks of this nature, causing a number of deaths and hundreds of injuries. President Zelenskyy recently told the Financial Times that the Russians had already fired 170 drones and dozens of missiles at the capitol city to open the new year.
One of the hacked surveillance cameras was located on the balcony of a multi-story apartment and used to keep tabs on the area around the building. Another was mounted above a residential building’s parking lot. In both cases, the Russian hackers were able to change the viewing angle over to a nearby target of interest and used a private Youtube channel to monitor the feed ahead of the attacks.
A December 2023 story published by Radio Free Europe suggests that this is not a new phenomenon, and that certain Russian manufacturers have for some time been facilitating intelligence collection by pipelining facial recognition and license plate monitoring footage to servers operated by the FSB.
An April report from The Guardian also documented attempts by Russian hackers to access the surveillance cameras in coffee shops, with the purpose of watching for troop and supply movements on nearby streets and train tracks.
Poor webcam and IoT security once again in the spotlight
The truth of the situation is that all sides of a war generally attempt to hack surveillance cameras. The broader category of “Internet of Things” (IoT) devices remain poorly secured and present too tempting of a target to ignore. The types of cameras that were hacked in Kyiv, those mounted around residential properties, are purchased from Amazon and similar retailers for as low as $50 each and are generally set up without any thought to ongoing security or software updates. Even when a business has a formal IT department with security staff, cameras for routine monitoring of common areas often end up outside their purview and not properly managed for security risks.
In addition to intelligence gathering, hacked IoT devices and surveillance cameras can potentially be used as an entry point for lateral movement into business networks if they interface with other components. A 2021 study conducted by Palo Alto Networks found that IP cameras were by far the least secure and highest-risk devices in these environments.
As Bud Broomhead, CEO at Viakoo, notes: “All conflicts today (and for the past 15 years) have had some element of leveraging vulnerable IoT/OT/ICS devices to gain a cyber advantage during wartime. For example, Stuxnet is more than 13 years old and was a significant exploitation of SCADA systems … IoT devices typically exist at 10x or more the number of IT devices, and therefore on an organization need to have automated methods to update firmware, passwords, and certificates to address the scale issue. The solutions used by organizations for IT systems do not work for IoT, therefore organizations nee to deploy agentless IoT solutions to provide automated cyber hygiene management. Organizations also need to be aware that with tightly-coupled IoT systems it’s both the cybersecurity of the devices and the applications that control them that matters. With IoT the attack surface grows one application at a time, and needs to be managed at an application level, using application-based discovery.”
Much of the situation can be put at the feet of an ongoing lack of industry standards and poor regulation for IoT devices, where competition is generally fierce and cost concerns usually come well before thoughts of proper device security. IoT devices have seen some improvement in recent years, but some still ship with unchangeable default passwords, limited ability to create an appropriately strong password, or no password at all. Many still lack a system of ongoing software updates to address vulnerabilities that arise, and it can be difficult for security staff to find ways to effectively monitor them for intrusion attempts. Larger companies also purchase so many IoT devices that they have trouble keeping track of them, often lacking a basic centralized inventory of everything they have.
Ken Dunham, Cyber Threat Director of the Qualys Threat Research Unit, additionally notes that even sharper IT security teams often feel that cameras for local monitoring are too obscure and unimportant to worry about: “The world of cyber and conventional warfare is a powerful combination with IOC integration and interdependency in 2024. Organizations must prioritize SecOps for all areas of infrastructure, including physical security controls, segmented networks, and those considered air-gapped, as connections and capabilities often exist that complex networks may not realize until exploitation and lateral movement occur. Do not make the mistake or assumption of believing your security cameras are secure by being obscure in your segmented network – you must still prioritize and manage security for these devices, customized to the risk specific to your assets and adversaries.”
The National Institute of Standards and Technology (NIST) is attempting to address this issue with a proposed encryption standard that was introduced in early 2023. The standard would be applicable to even the smallest and simplest devices, but it would likely be years yet before widespread adoption would be feasible.
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, provides some insight into how the risk can be managed until the general IoT “security by design” situation improves: “For organizations, especially those in sectors reliant on IoT and ICS, the key takeaway is the urgent need to prioritize security in their digital transformation strategies. This includes conducting regular security assessments, implementing a robust security framework tailored to their specific operational environment, and ensuring continuous monitoring and incident response capabilities. Additionally, these incidents highlight the importance of collaboration between private entities and government agencies in addressing cybersecurity threats. Sharing threat intelligence and best practices can significantly enhance an organization’s ability to detect and respond to emerging threats. These incidents are a reminder of the risks unsecured IoT devices pose, not just in terms of data breaches but also in enabling physical attacks. They call for a more holistic approach to cybersecurity, where physical and cyber risks are integrated into an organization’s risk management strategy.”