Hackers can peek through surveillance cameras, report says

A researcher in Argentina showed he could log into tens of thousands of DVR cameras and view the video stream live, according to Bleeping Computer.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

A security researcher says he can access thousands of internet-connected cameras with a line of code.

James Martin/CNET

Tens of thousands of surveillance cameras are vulnerable to hackers, according to Bleeping Computer. Connected to the internet, the cameras have a flaw that a researcher in Argentina found anyone with a short line of code could exploit to log in.

The researcher first found the flaw in cameras made by Spanish camera maker TBK Vision, but next found that several other brands from around the globe appeared to be affected. Those included cameras sold by CeNova, Night Owl, Nova, Pulnix, Q-See and Securus. The flaw lets hackers receive a camera's username and password in plain text.

TBK Vision, Pulnix, Q-See and Securus didn't respond to requests for comment. CeNova, Night Owl and Novo could not be reached for comment. The researcher, Ezequiel Fernandez, declined to speak with Bleeping Computer, but the publication showed the research to other security experts who said the hacking code could successfully access the login credentials for the cameras Fernandez identified. Fernandez didn't respond to a request for comment from CNET.

Internet-connected surveillance systems are especially vulnerable to hackers when they come with default passwords. Hackers can find the cameras online by using search engines like Google or Shodan, which let users locate anything that connects to the internet. Often, hackers can then attempt to log in. If your username and password are both "admin," then hackers will have an easy time accessing your camera.

Things get even worse when hackers find ways to quickly access a large number of cameras at once. That's what happened during the Mirai attacks in 2016, when hackers accessed internet-connected cameras and infected them with malicious software. That created a network of hacked devices. The hackers then used the cameras to send an overwhelming number of requests to popular websites like Twitter, Reddit and Netflix, temporarily taking them offline.