Every Camera Is a Target: How Hacking Civilian Security Cameras Became Standard War Doctrine

Israel used Tehran's own traffic cameras to track Khamenei's security detail and guide the strike that killed him. Iran's hackers targeted cameras across six countries to guide missile attacks. Russia and Ukraine have been trading camera hacks for years. New research from Check Point confirms the obvious: civilian surveillance infrastructure is now military hardware - and the owners have no idea.

Security cameras mounted in a city center. In modern warfare, cameras like these have become military reconnaissance assets - without the knowledge of the people who installed them. Photo: Unsplash

The day they killed Ali Khamenei, Israel did not rely solely on satellites, drones, or human intelligence assets. They used Tehran's own traffic cameras.

According to Israeli intelligence sources speaking to the Financial Times, the operation that located Iran's supreme leader involved assembling real-time footage from cameras placed across Tehran, giving Israeli intelligence officers a ground-level view of the patterns of movement around Khamenei's security guards. "We knew Tehran like we know Jerusalem," one source told the FT.

The cameras had not been placed by Israeli intelligence. They were Iran's own civilian surveillance infrastructure - traffic monitoring systems, public safety cameras, the kind of networked CCTV apparatus every modern city installs without much thought about what happens when an adversary gains access to the feed.

This was not a novel trick. It was the culmination of a surveillance doctrine that has been building across every major conflict zone for nearly a decade - from the streets of Kyiv to the bridges of Crimea to now the highways of Tehran. And this week, Tel Aviv-based security firm Check Point published new research documenting Iran's parallel effort to do exactly the same thing to its adversaries: hundreds of hacking attempts targeting consumer security cameras across Bahrain, Cyprus, Kuwait, Lebanon, Qatar, the UAE, and Israel itself - timed to missile and drone strikes that began on February 28.

The research makes something uncomfortable very clear: in 2026, every unpatched security camera connected to the internet is potential military hardware. It does not matter who owns it, who installed it, or what country it sits in.

The Check Point Research: Iran's Camera Reconnaissance Operation

The infrastructure behind modern surveillance networks is vulnerable in ways their owners rarely understand. Photo: Unsplash

Check Point's threat intelligence team released the findings on March 6, 2026. The research describes a targeted hacking campaign against internet-connected security cameras across the Middle East, with activity primarily concentrated in two windows: mid-January 2026, when protests were spreading inside Iran and the US and Israel were making preparations for military action, and February 28 through March 1, as the first wave of US and Israeli air strikes hit Iranian targets.

The correlation between the camera-hacking attempts and the missile and drone strike timeline was not coincidental. Check Point attributed the campaign to three distinct groups it assesses as Iranian in origin, based on the servers and VPNs used. Some of those infrastructure nodes had been previously linked by multiple cybersecurity firms to Handala - a hacker group with documented ties to Iran's Ministry of Intelligence and Security (MOIS).

"Now hacking cameras has become part of the playbook of military activity. You get direct visibility without using any expensive military means such as satellites, often with better resolution." - Sergey Shykevich, threat intelligence lead, Check Point Research

The vulnerabilities exploited were not zero-days. They were not sophisticated. All five security flaws targeted in the campaign had already been patched by the manufacturers - Hikvision and Dahua, the two dominant Chinese camera brands deployed globally. One vulnerability dated back to 2017. But as with the vast majority of internet-of-things devices, the cameras had not been updated by their owners. In many cases, the owners did not know updates were available, or did not know the devices needed updating at all.

This is the fundamental security problem with consumer-grade surveillance infrastructure. The people who install these cameras are not IT security professionals. They buy a camera from Amazon, connect it to their router, and forget about it. The cameras run embedded firmware that almost never auto-updates. The manufacturer ships patches, sometimes quietly, with no push notification mechanism. The gap between "vulnerability disclosed" and "camera owner applies patch" can be measured in years - or never.

Check Point was able to observe the intrusion attempts only on networks equipped with its own firewall appliances - meaning the data is skewed toward its customer base, which is relatively heavy in Israel. The actual scope of the campaign is almost certainly larger. What they caught is the fragment they could see.

The goal of the camera access, Check Point assesses, was reconnaissance: watching potential strike targets before attacks, assessing bomb damage after strikes, and tracking the movement of military and government personnel. In a conflict where every major power is watching every other major power's drone and satellite patterns, having ground-level eyes that look like ordinary traffic monitoring provides a significant advantage that is hard to detect and even harder to attribute.

How Israel Used Iran's Own Eyes to Find Khamenei

While Iran was trying to hack cameras to watch its adversaries, Israel had already penetrated "nearly all" of Tehran's traffic camera network, according to the Financial Times report published in the days following the February 28 strike.

The operation described by Israeli intelligence sources is methodical and patient - not an improvised attack but a long-running intelligence collection program. Over time, Israeli and CIA analysts assembled the patterns of life of the security personnel surrounding Khamenei by watching their movements on footage from cameras positioned across Tehran's road network. By the time the order came to strike, they had real-time visibility into the city's streets.

This is what Check Point's Sergey Shykevich calls "direct visibility without expensive military means." A satellite provides a top-down view. A drone can be shot down and is detectable by radar. A hacked traffic camera provides a street-level perspective, continuous video feed, and is operated by the very government you are targeting - meaning they bear the infrastructure costs and maintenance burden for their own surveillance by the enemy.

"For any attacker who is planning military activity, it's now a straightforward act to try it, because it's easy and provides very good value for your effort." - Sergey Shykevich, Check Point Research, speaking to Wired, March 6, 2026

There is a particularly striking detail in the FT account: the intelligence was not just "we know where the cameras are." It was granular enough to enable what intelligence professionals call "pattern of life analysis" - understanding the routines, schedules, and movement patterns of specific individuals and their security details. That level of surveillance quality, derived from a public city's own traffic infrastructure, represents a significant shift in what adversaries can know about each other without visible intelligence collection operations.

Iran's Khamenei was, presumably, aware that he was under surveillance. He changed locations regularly and maintained strict security protocols. But he could not control the cameras on Tehran's streets that were ostensibly maintained by the municipality. Those cameras, once compromised by hostile intelligence services, became the window through which his movement patterns were read.

Ukraine and Russia Wrote the Original Playbook

Every device on a network is a potential intelligence asset. The question is who is watching. Photo: Unsplash

The current Middle East conflict did not invent camera warfare. It inherited a doctrine that Russia and Ukraine have been developing and refining since at least 2022, and which has accelerated significantly in the past two years.

In January 2024, Ukraine's SSU intelligence service publicly warned that Russian forces had successfully hacked two security cameras in Kyiv - positioning the feeds to observe Ukrainian air defense systems and infrastructure targets. The SSU stated plainly: "The aggressor used these cameras to collect data to prepare and adjust strikes on Kyiv." Shortly after, Russian missiles struck targets that those cameras had been watching.

The Ukrainian response was striking. The SSU announced it had disabled 10,000 internet-connected cameras - a number that suggests the problem had metastasized far beyond two compromised devices. Ukrainian authorities called on the public to stop streaming from their outdoor webcams entirely, understanding that every connected device with a view of infrastructure, air defense positions, or troop movements represented an intelligence hazard.

But Ukraine was simultaneously doing the same thing back to Russia. When the Ukrainian military executed its first successful underwater drone strike on a Russian submarine in the bay of Sevastopol in Crimea, the video footage released by Ukraine appeared to come from a hacked surveillance camera - not from the drone itself. Defense outlet The Military Times and a BBC investigation into Ukrainian hacktivist group One Fist both documented Ukrainian hackers monitoring Russian military movements via hijacked cameras placed near the Kerch Bridge connecting Russia to occupied Crimea.

By the time the US-Israel campaign against Iran launched in late February 2026, camera intelligence was a mature capability - not an experiment. Peter W. Singer, a military researcher at the New America Foundation and author of the conflict technology book Ghost Fleet, told Wired that camera hacking now represents standard military operating procedure for any sophisticated actor.

"The advantages of co-opting a civilian camera network are presence and expense. The adversary's already done the work for you. They've placed cameras all around a city." - Peter W. Singer, New America Foundation, speaking to Wired, March 2026

Singer notes additional practical advantages over alternatives. Satellites offer top-down views with resolution limitations and predictable orbital patterns that adversaries can track and time their movements around. Drones are detectable, vulnerable to air defenses, and expensive. A compromised traffic camera mounted 15 feet above the sidewalk provides street-level, continuous, high-resolution video in conditions where the camera operator - the city itself - has no idea the feed is being watched by a foreign military intelligence service. The attacker's footprint is essentially zero.

The Accountability Gap Nobody Is Fixing

Here is where the story gets uncomfortable in ways that extend far beyond the Middle East or Ukraine.

Beau Woods, a security researcher who previously worked as an adviser to the US Cybersecurity and Infrastructure Security Agency (CISA), puts the accountability problem precisely:

"The manufacturer of the device and the owner of the device are not the victim. So the victim isn't in a position to control the tool that's used by the adversary. Who's liable, who's responsible, who's accountable? The camera itself is not directly causing the harm. But it's part of the kill chain." - Beau Woods, security researcher and former CISA adviser, speaking to Wired, March 2026

The kill chain problem is not theoretical. A shopkeeper in Beirut installs a Hikvision camera above their entrance because it was cheap on Amazon. They connect it to their router, verify it works, and move on with their life. That camera is now running 2019 firmware, exposed to the public internet, harboring a known CVE that has been in public vulnerability databases for years. The shopkeeper does not know. The camera manufacturer has issued patches but has no mechanism to push them or notify the owner. No government regulator requires the camera to have auto-update capability. No one checks.

And now, in a conflict zone, Iranian military hackers or Israeli intelligence or both scan that camera's IP address, find the vulnerability, take control of the feed, and use it to watch a street in Beirut that happens to have strategic relevance. The shopkeeper's camera has become part of someone's targeting infrastructure without their knowledge or consent.

The problem compounds with scale. There are an estimated one billion IP-connected cameras deployed globally. The largest share are Hikvision and Dahua devices - both Chinese manufacturers that are banned from US government use under the 2019 National Defense Authorization Act precisely because of documented security vulnerabilities and concerns about Chinese government access to the feeds. But both brands dominate the global market outside the United States, particularly in the Middle East, Africa, South Asia, and Latin America - exactly the regions where conflicts are most likely to occur and where this specific exploitation is most actively documented.

The 2019 US ban did not make the world's cameras more secure. It just ensured that cameras in US government facilities had marginally better procurement standards while the rest of the planet deployed hundreds of millions of unpatched, internet-exposed devices from the same manufacturers.

The Timeline: Camera Warfare Goes Mainstream

Second-Order Effects: What This Means Outside War Zones

The immediate application of camera warfare doctrine is in conflict zones. The second-order effects extend into every country with connected surveillance infrastructure - which in 2026 means virtually every country on Earth.

The first implication is for how democracies think about their own city camera networks. Most urban CCTV systems were designed with a specific threat model in mind: domestic crime, public safety, traffic monitoring. The possibility that a foreign intelligence service would quietly penetrate the network and use it to watch military facilities, government buildings, or infrastructure was not part of the design conversation when most of these systems were deployed. It should be now.

A traffic camera mounted outside a military installation in London, Brussels, or Washington is not a military system - but it is a potential intelligence asset for anyone who can access its feed. The same applies to cameras outside power stations, water treatment facilities, and legislative buildings. The physical security perimeter of critical infrastructure has traditionally been a physical boundary. Camera warfare doctrine makes that perimeter extend to every IP-connected device within line of sight of the facility.

The second implication concerns the supply chain politics of surveillance hardware. The US ban on Hikvision and Dahua was controversial when enacted - the companies pushed back, arguing the security concerns were overblown or geopolitically motivated. The accumulated evidence of the past two years makes the security case straightforwardly. These devices have chronic, persistent unpatching problems. They are being actively exploited in live military operations. Countries that have not adopted similar restrictions are deploying military reconnaissance infrastructure for adversaries without realizing it.

Third, and most significant for the long term: the camera hacking doctrine creates a persistent reconnaissance advantage for any actor with the technical capability to execute it - and the bar for that capability is remarkably low. The vulnerabilities being exploited in the Middle East were discovered years ago, are publicly documented in CVE databases, and have publicly available exploitation code. This is not sophisticated nation-state capability. It is commodity hacking applied to a target class - consumer cameras - that almost never gets patched.

Peter Singer's "the adversary's already done the work for you" framing carries a broader implication. Every city, government, and private organization that installs internet-connected cameras is, to some degree, building reconnaissance infrastructure that may be turned against them. The investment in cameras, in connectivity, in placement - all of it transfers to whoever gains access to the feed. And gaining access, given the state of camera security, is not particularly hard.

What Actually Gets Fixed - and What Doesn't

The structural problems here do not have simple solutions, and it is worth being honest about why the obvious fixes are harder than they sound.

The first instinct is "patch your cameras." This is correct advice that will be followed by essentially no one at scale. Camera owners are not, in general, IT security teams. They lack the knowledge, the tooling, and the incentive to treat a security camera the same way a corporate IT department treats a server. Even in contexts where the cameras are managed by municipalities or large organizations with IT capacity, camera firmware updates are rarely prioritized, the process is often manual, and the organizational will to maintain this infrastructure is weak because the downside risk - a security camera being used in a military operation on another continent - is abstract and invisible until it isn't.

The systemic fix requires pushing the responsibility upstream: mandatory auto-update capability for all networked surveillance devices sold in major markets, with enforceable timelines for manufacturer support and end-of-life policies that require replacement rather than running indefinitely insecure. Several regulatory frameworks - including EU cyber resilience regulations that took effect in 2024 - are beginning to push in this direction for IoT devices broadly. Camera-specific requirements are lagging.

A harder fix involves the fundamental deployment model. Cameras exposed directly to the public internet - with no network segmentation, no authentication beyond factory-default credentials, no monitoring for unusual access patterns - are the most vulnerable. Network segmentation, VLANs, and access control lists can dramatically reduce the attack surface. These measures require someone with IT capability to design and maintain the network architecture around the camera. For most small-scale deployments, that person does not exist.

The military and intelligence dimensions are likely to drive faster change than consumer protection regulation. When governments understand that their adversaries are using their own cities' camera networks against them - as Iran now viscerally understands - the political will to address the vulnerability intensifies. The question is whether that urgency translates into durable infrastructure security improvements or just a new generation of cameras with the same problems at slightly higher specifications.

The New Surveillance Reality

There is a version of this story that stays contained within the narrow context of Middle East warfare and treats camera hacking as an interesting tactical footnote in a larger conflict. That reading misses what Check Point's research, the Khamenei assassination details, and the Ukraine precedents collectively establish.

This is not a wartime anomaly. It is a stable capability that transfers directly to peacetime intelligence collection, corporate espionage, and domestic surveillance operations. The exact same vulnerabilities, the exact same methodology, the exact same tools used to watch military targets in Beirut can be applied to watch anyone connected to the same class of infrastructure anywhere on Earth.

The camera hacking operations Check Point documented were military in purpose - tied to missile strikes and targeting operations. But Handala, the Iranian group linked to several of the camera intrusions, has previously conducted operations that look much less like military reconnaissance and much more like broad-based intelligence collection and harassment. The capability does not respect the military/civilian distinction its operators sometimes claim to observe.

And the capability is spreading. It started with sophisticated nation-state actors - Russia, Ukraine, Israel, Iran. It is now documented across multiple groups with varying levels of sophistication and different ultimate objectives. Within a few years, the methodology will be sufficiently routine that non-state actors, criminal groups, and private intelligence firms will deploy it as standard practice.

Every camera is a target. Not metaphorically - literally. The question is who is doing the targeting, what they want to see, and whether anyone on the camera owner's side is paying enough attention to notice that the feed has already been watched by someone who should not have access to it.

The billion cameras already deployed will not be replaced with secure alternatives overnight. The vulnerabilities disclosed in 2017 will still be live in cameras running in 2030. The military doctrine is settled. The civilian reckoning has barely started.

Sources: Check Point Research (March 6, 2026) - "Interplay Between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East"; Wired / Andy Greenberg (March 6, 2026) - "From Ukraine to Iran, Hacking Security Cameras Is Now Part of War's Playbook"; Financial Times intelligence source reporting on the Khamenei targeting operation; Ukraine SSU public advisories (January 2024); New America Foundation / Peter W. Singer; CISA / Beau Woods commentary via Wired.

← Back to all articles