Video Surveillance Security
Securing IP camera systems as IoT attack surfaces: default credential risks, VLAN segmentation, VMS hardening, privacy compliance, and the physical security paradox. Covers Hikvision, Dahua, Mirai botnet, and GDPR implications.
# Video Surveillance Security
Definition
Security cameras are among the most widely deployed network-connected devices in enterprise environments and among the most insecure. The institutional irony is not subtle: the devices purchased to improve security are routinely deployed as unsecured network access points, botnet nodes, and surveillance platforms for adversaries who never needed physical access to the building to see what the cameras see.
Video surveillance security is the discipline of deploying, configuring, and maintaining IP camera systems and their supporting infrastructure in a manner that provides effective physical surveillance without creating network security vulnerabilities, data exposure risks, or privacy compliance failures. It encompasses camera device hardening, network architecture, Video Management System (VMS) protection, access controls for recorded footage, retention policy, privacy compliance, and the physical protection of surveillance infrastructure itself.
The threat model operates on two tracks simultaneously. The first track treats cameras as defenders: surveillance systems that deter and document physical security incidents, provide forensic evidence, enable real-time monitoring of controlled spaces, and integrate with access control systems to correlate badge events with camera footage. The second track treats cameras as attack surfaces: IP devices that are frequently deployed with default credentials, unpatched firmware, unrestricted network connectivity, and no monitoring, making them trivially exploitable for network access, internal reconnaissance, or botnet recruitment.
An organization that deploys cameras only through the first track, treating them purely as physical security tools and ignoring their network posture, has a security program where the surveillance system is itself a source of the risk it was purchased to reduce. CDA's Autonomous Posture Command (APC) methodology does not distinguish between cameras and workstations when assessing whether network-connected devices are appropriately hardened. A camera with default credentials on the corporate network is a compromise waiting to happen. The terrain metaphor of SPH (Security Posture and Hygiene) applies: cameras are terrain. Their configuration either contributes to or detracts from the overall security posture.
---
How It Works
Camera Hardware and Deployment
Modern enterprise surveillance uses IP cameras (network cameras) rather than the analog CCTV systems of older installations. IP cameras connect to the organization's network (or a dedicated surveillance network), encode video digitally, and transmit streams to a Video Management System for recording, viewing, and management. This network connectivity is what makes IP cameras both more capable and more vulnerable than their analog predecessors: they can be accessed remotely, managed centrally, and integrated with other systems, but they are also reachable by anyone on the same network.
Camera types by application include fixed cameras (pointed at a specific area, providing continuous coverage of high-priority locations such as entrances, server rooms, and reception areas), pan-tilt-zoom (PTZ) cameras (motorized cameras that can be directed to different areas by an operator or by automated tracking), wide-angle and fisheye cameras (providing 180 or 360 degree coverage from a single device, useful in large open areas), and license plate recognition (LPR) cameras (optimized for high-contrast capture of vehicle plates, used at parking entrances and perimeters).
Camera selection should align with the lighting conditions, required field of view, required resolution (measured in megapixels, with higher resolution enabling identification at greater distances), and whether the location requires discreet or visible deterrent deployment. Visible cameras deter opportunistic actors. Covert cameras capture behavior that visible cameras would suppress, providing evidence rather than deterrence.
Physical placement determines coverage and blind spots. A surveillance system with gaps in coverage (areas not visible to any camera) creates exploitable blind spots. Adversaries who have conducted physical reconnaissance know where cameras are and how to move through a facility using uncovered routes. Coverage mapping (documenting exactly what each camera sees and identifying gaps) is a required element of surveillance system design and should be reviewed after any facility modification.
The Default Credential Epidemic
The single most pervasive vulnerability in enterprise IP camera deployments is the failure to change default credentials. This is not a sophisticated attack. It requires no technical expertise. It requires only that the installer did not change the password that the camera shipped with, which is frequently the case.
Hikvision is the world's largest manufacturer of IP cameras by market share. Dahua Technology is the second largest. Both companies ship cameras with documented default credentials: common examples include administrator accounts with passwords such as "12345," "admin," or the device's serial number. These defaults are publicly documented, included in manufacturer documentation, and indexed by tools like Shodan, which scans the internet for internet-facing devices and catalogs their characteristics. An organization that connects a Hikvision or Dahua camera to a network without changing the default password, and whose firewall allows any inbound access to that network, has effectively published an access point.
The scale of this problem became undeniable in 2016 with the emergence of the Mirai botnet. Mirai was malware that scanned the internet for IoT devices (cameras, routers, digital video recorders) with factory default credentials, logged in using those credentials, and recruited the device into a botnet. At its peak, Mirai had compromised hundreds of thousands of devices, with IP cameras and DVRs constituting the majority of the botnet's membership. Mirai was used to execute distributed denial-of-service attacks, including an attack on DNS provider Dyn in October 2016 that disrupted access to major websites including Twitter, Netflix, Reddit, and GitHub for hours. The analysis of Mirai's target list published by Antonakakis et al. at USENIX 2017 confirmed that Hikvision and Dahua cameras, along with cameras from dozens of other manufacturers with the same default credential problem, were among the primary recruitment targets.
Mirai did not represent a sophisticated supply chain attack or a novel exploit technique. It represented the systemic consequence of deploying hundreds of millions of network-connected devices with default credentials and no patch management process. The lesson applies directly to enterprise surveillance deployments: a camera that has not had its default credentials changed, that is on a network reachable from the internet, and whose firmware has not been updated, is not a security tool. It is a compromised device that happens to have a camera attached.
Network Architecture: Segmentation and Isolation
The appropriate network architecture for IP cameras places them on a dedicated VLAN (Virtual Local Area Network) isolated from the corporate network. The surveillance VLAN should have the following properties.
Cameras can reach the VMS server (which collects and stores footage) but cannot initiate connections to any other network segment. The VMS server can reach cameras for management and stream collection but is not accessible from the general corporate network. Remote access to the VMS (for security personnel who need to view footage from their workstations) is provided through controlled access paths, not through direct routing between the surveillance VLAN and the corporate LAN. Internet access from the surveillance VLAN should be blocked entirely, with the exception of firmware update repositories if automatic updates are configured.
This architecture limits the blast radius of a compromised camera. If an adversary gains control of a camera (through a default credential, an unpatched firmware vulnerability, or a supply chain compromise), they are contained within the surveillance VLAN. They can see other cameras and the VMS, but they cannot reach the corporate network, the Active Directory domain, or any application infrastructure from the compromised camera. Containment is the defense-in-depth principle applied to IoT segmentation.
Cameras should also have UPnP (Universal Plug and Play) disabled. UPnP allows devices to automatically configure firewall rules and port forwarding on the network router, potentially exposing the camera to the internet without the administrator's knowledge or intention. Disabling UPnP prevents cameras from self-publishing to the internet.
---
Why It Matters
The risk is not hypothetical. In 2021, a group of researchers gained access to approximately 150,000 cameras operated by Verkada, a cloud-managed camera startup, through a compromised administrator account. The accessed cameras included feeds from Tesla manufacturing facilities, Equinox fitness centers, hospitals, jails, and schools. The researchers could view live footage from all 150,000 cameras and accessed historical recordings. The breach was enabled by a single compromised administrative credential. No vulnerability in camera hardware was required.
Separately, Hikvision cameras shipped with a backdoor (CVE-2021-36260) that allowed unauthenticated access to the camera and from there to the network behind it. CISA issued an advisory. The camera was widely deployed in government and enterprise environments. The patch required a firmware update that many organizations had not applied, because IP cameras are frequently treated as set-and-forget infrastructure with no patch management process.
The privacy compliance dimension is binding for organizations subject to GDPR, UK GDPR, CCPA, or equivalent laws. Video surveillance footage captures images of people and is personal data under GDPR. The European Data Protection Board's 2020 guidelines on video surveillance establish specific requirements: a lawful basis for processing (legitimate interest, with a documented balancing test), data minimization (cameras should cover only the areas necessary to achieve the stated purpose, not every corner of the facility), retention limits (footage should not be retained beyond the period necessary for its purpose; 30 to 90 days is a common retention window for general surveillance purposes), and access controls (footage is personal data accessible only to personnel with a legitimate need).
Organizations subject to GDPR that allow unrestricted access to surveillance footage, retain footage indefinitely, or deploy cameras in areas without a documented lawful basis are exposed to regulatory enforcement action independently of any cybersecurity incident. The Data Protection Officer (or equivalent responsible person) must be involved in surveillance system design, not just IT and facilities.
The physical security paradox: cameras are physical security tools that are themselves physical attack targets. A camera can be physically destroyed, obscured, redirected, or covered before or during a physical intrusion to blind coverage of the attack path. A well-designed surveillance system accounts for this by ensuring coverage redundancy (multiple cameras cover each critical area from different angles, so disabling one does not eliminate coverage), tamper detection (cameras alert when their view is blocked, moved, or when the device is powered down), and camera placement that requires intentional effort to reach (cameras mounted at height, in protected enclosures, or in locations not easily approached without being visible to other cameras).
---
Technical Details
Video Management Systems
The VMS is the central platform for recording, managing, and accessing surveillance footage. It is also a high-value target: the VMS database contains sensitive video footage and the credentials for managing all cameras in the organization. VMS hardening is as important as camera hardening.
Milestone XProtect is one of the most widely deployed enterprise VMS platforms. It uses a federated architecture that supports thousands of cameras across multiple sites managed from a single interface. Milestone's role-based access control allows granular permissions: different users can be granted access to footage from specific cameras or sites, with all access logged for audit purposes.
Genetec Security Center provides integrated VMS and physical access control in a single platform, enabling the correlation of badge access events with camera footage that is essential for physical security investigations. When an access control event (an employee badges into a server room) is associated with a camera event (the camera nearest that door records the entry), investigators can pull correlated evidence rather than searching through hours of footage.
Avigilon Control Center (Motorola Solutions) incorporates AI-based video analytics including object detection, unusual motion detection, and license plate recognition. AI analytics reduce the operational burden of manual video review by alerting on specific event types rather than requiring continuous monitoring of all camera feeds.
VMS hardening requirements mirror application server hardening: operating system patching, application updates on a defined schedule, database access controls (the footage database should not be accessible with default or shared credentials), encryption of footage at rest and in transit, role-based access with the principle of least privilege (camera operators can view live feeds; investigators can access historical footage; administrators can configure the system; no role should have all three by default), and logging of all user access to footage.
Stream encryption is a commonly overlooked control. RTSP (Real-Time Streaming Protocol), the standard protocol for IP camera video streams, transmits video in cleartext by default. On a properly segmented surveillance VLAN, this is a limited risk because traffic does not leave the controlled network segment. However, for remote access scenarios, or in environments where camera streams are transmitted across shared network infrastructure, RTSP over TLS should be configured to encrypt the video stream in transit. Without encryption, anyone with access to the network path can intercept and view video streams.
Firmware and Patch Management
IP cameras are computers running embedded operating systems and applications. Like all computers, they have vulnerabilities that are discovered and patched by manufacturers over time. Unlike workstations and servers, cameras are frequently deployed without any patch management process.
Organizations should establish a firmware management process for all IP cameras: inventory of all deployed cameras with current firmware versions, subscription to manufacturer security advisories (both Hikvision and Dahua publish security bulletins), a defined patch cycle for applying non-critical updates, and an accelerated process for critical vulnerability patches. CISA publishes advisories for critical vulnerabilities in widely deployed IoT devices including cameras; these advisories should be monitored.
Camera management should be performed through the VMS or a dedicated camera management platform, not through direct web interface access on the corporate network. Direct web interface access bypasses centralized logging and requires individual device management rather than fleet management.
---
CDA Perspective
In the Planetary Defense Model, IP cameras represent a specific SPH challenge: network-connected devices deployed by physical security or facilities teams, outside the traditional IT asset management process, often without the hardening standards applied to workstations and servers. This gap between physical security and IT security ownership is where posture failures accumulate.
CDA's Autonomous Posture Command (APC) methodology does not recognize an exception for devices managed by non-IT teams. "Your posture adapts. Your hygiene never sleeps" applies to every network-connected device in the organization, regardless of which team manages it. APC continuous monitoring should include surveillance system components: camera firmware currency, default credential verification, VLAN isolation validation, VMS access control review, and footage retention policy compliance.
Mission SPH-B03 in CDA's Theater of Operations addresses physical security technology assessment, including surveillance system posture. Assessment deliverables include camera inventory and firmware status, network architecture review (confirming surveillance VLAN isolation), VMS access control evaluation (confirming role-based access and audit logging), coverage gap analysis, and privacy compliance review for organizations subject to GDPR or equivalent regulations.
The physical security paradox (cameras as both defenders and targets) connects to the broader principle that security controls must themselves be secured. An organization that deploys cameras as the last layer of physical security defense, without securing the cameras themselves, has built a security capability that can be turned against them. Adversaries who compromise camera systems gain intelligence about physical security posture, patrol patterns, coverage gaps, and who accesses which areas and when. That intelligence directly enables more sophisticated physical attacks.
The Mirai botnet serves as the canonical illustration of systemic IoT security failure. Cameras deployed without basic hardening (default credential change, firmware updates, network segmentation) became involuntary participants in attacks on unrelated targets, exposed their operators to reputational and legal risk (operating a botnet node, even involuntarily, creates liability questions), and demonstrated that the security camera industry's historical indifference to device security had global consequences. The response from manufacturers has been mixed: some have implemented mandatory first-time password changes, automatic update prompts, and improved default configurations. Others have not. The responsibility to verify device security on deployment cannot be delegated to the manufacturer.
---
Key Takeaways
- IP cameras are IoT devices that must be hardened like any other network-connected computer. Failure to change default credentials (the single most common IP camera vulnerability) creates an access point that adversaries, malware like Mirai, and security researchers can trivially exploit.
- Network segmentation (dedicated surveillance VLAN isolated from the corporate network) is the single most effective architectural control. A compromised camera on an isolated VLAN cannot reach corporate systems. A compromised camera on the corporate LAN is a foothold.
- VMS platforms (Milestone XProtect, Genetec Security Center, Avigilon) are high-value targets containing sensitive footage and camera management credentials. VMS hardening, role-based access, and audit logging are required, not optional.
- Video surveillance footage is personal data under GDPR and equivalent laws, requiring a lawful basis for processing, documented retention limits, and access controls. Surveillance systems deployed without Data Protection Officer involvement expose the organization to regulatory enforcement.
- Cameras are physical attack targets as well as defenders. Coverage redundancy, tamper detection, and secure physical placement of camera hardware are required to prevent adversaries from blinding the surveillance system before a physical intrusion.
---
Related Articles
- Access Control Systems [SPH-pacs]
- IoT Security [SPH-iot]
- Insider Threat [TID109]
- Environmental Controls for Data Centers [SPH-env]
- Autonomous Posture Command (APC) [CDP-APC]
---
Sources
- CISA. Security Guidance for IP Cameras. Cybersecurity and Infrastructure Security Agency, 2023. https://www.cisa.gov/news-events/alerts/2017/04/13/cameras
- Krebs, Brian. Who Makes the IoT Things Under Attack? Krebs on Security, 2016. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
- Antonakakis, Manos et al. Understanding the Mirai Botnet. Proceedings of the 26th USENIX Security Symposium, 2017. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
- European Data Protection Board. Guidelines 3/2019 on Processing of Personal Data through Video Devices. EDPB, Version 2.0, 2020. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-video-surveillance_en
- CDA, LLC. Autonomous Posture Command (APC) Methodology Reference. CDA Canon, 2026.
Sources
- CISA. Security Guidance for IP Cameras. Cybersecurity and Infrastructure Security Agency, 2023. https://www.cisa.gov/news-events/alerts/2017/04/13/cameras
- Krebs, Brian. Who Makes the IoT Things Under Attack? Krebs on Security, 2016. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
- Antonakakis, Manos et al. Understanding the Mirai Botnet. USENIX Security Symposium, 2017. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
- European Data Protection Board. Guidelines on Video Surveillance. EDPB, 2020. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-video-surveillance_en
- CDA, LLC. Autonomous Posture Command (APC) Methodology Reference. CDA Canon, 2026.
Written by Evan Morgan
Found an issue? Help improve this article.