Connected cameras: from peer surveillance weaknesses to military intelligence

For many years, the CNIL has been interested in the development of connected devices for consumers and businesses. Early on, it produced materials to raise awareness and inform the public about the risks associated with poorly secured systems that can jeopardise individuals’ rights and privacy. These security vulnerabilities have grown alongside the expansion of connected and surveillance systems deployed by professionals and private individuals.

From connected devices to connected cameras

As early as 2015, the CNIL published an article titled: Objets connectés : n’oubliez pas de les sécuriser ! (Smart devices: don’t forget to secure them!), in which it reminded readers that while “connected devices may seem harmless and easily integrate into everyday life […], the data they process are not harmless. One must remain vigilant about how this data is shared and who is granted access to it”. The article outlined the risks involved as well as best practices to adopt when purchasing and using such devices. In 2017, in a subsequent publication, the CNIL provided a series of recommendations for securing connected toys, which were becoming increasingly popular. It notably warned that “communications and data collected by a connected toy may potentially be used for targeted advertising purposes,” but could also be “misused by a malicious individual, for example for fraud, identity theft or harassment». That same year, the CNIL sanctioned a manufacturer of poorly secured connected dolls, which could be accessed “from twenty meters away” using a smartphone “without any need for authentication.” As a result, anyone could “hear everything recorded by the doll’s microphone: what children say, but more broadly everything being said in the room where the toy is located”.

More recently, in February 2026, an article by Popular Science reported the case of a computer engineer who had accidentally gained access to live video feeds, audio recordings, and data from nearly 7,000 connected vacuum cleaners across 24 countries. The engineer had been attempting to develop a remote application to control his own vacuum cleaner using a video game controller. It was while trying to understand how the device communicated with remote servers that he uncovered this security vulnerability (which has since been fixed).

Many vulnerabilities of this kind, most often due to a failure to change default passwords, have been widely reported and observed, whether involving toys such as those mentioned above, vacuum cleaners, or video baby monitors, for example. The growing use of these devices is part of a broader trend toward peer-to-peer surveillance, which the LINC has documented in several articles: Tous surveillants, tous surveillés (We are all watchers, we are all watched) in 2022 and La fin de l̶’̶h̶i̶s̶t̶o̶i̶r̶e̶ la surveillance ? (The End of History Surveillance) in 2024, as well as during the ethical event air2024: “La Surveillance dans tous ses états” (Surveillance in all its states). Since then, most manufacturers have required password resets upon first use.

In these articles, as well as in the complaints received by the CNIL, we observe that surveillance cameras entered households following the rise of connected devices in the workplace: “Video surveillance at work remains one of the topics for which the CNIL receives numerous complaints every year, facilitated by the declining cost of equipment and services and sometimes a lack of awareness of the applicable legal framework”. These same cameras are increasingly installed by private individuals to monitor the surroundings of their homes, whether through traditional CCTV systems or connected doorbells, such as Ring, a product marketed by Amazon.

From workplace and privately installed surveillance cameras to connected objects (fridges, vacuum cleaners, glasses, etc.), blind spots have thus gradually been reduced, as the “keyholes” through which one can observe without being seen have multiplied.

Hacking cameras: a “nearly ordinary” practice in contemporary conflicts

Intelligence services from various countries have been able to take advantage of this development. Thus, in recent years, connected surveillance cameras have been “hacked” for military surveillance purposes in conflict zones in Ukraine, Israel, and Iran, among others. The cameras involved are those that transmit their images over the internet (via an IP address), rather than closed-circuit television (CCTV) systems traditionally used for video surveillance. 

Several emblematic cases have been identified in conflict zones. For instance, in Ukraine, as early as 2024, Russia hacked surveillance cameras to monitor air defense infrastructure and, according to Ukrainian intelligence, to “collect data in order to prepare and adjust their strikes”. In Iran, Israeli intelligence services are also believed to have prepared their offensive by using hacked traffic cameras - access to which they had maintained for several years. These images are said to have enabled real-time monitoring of movements around the Iranian Supreme Leader, Ayatollah Ali Khamenei, helping to plan the airstrike that killed him. In Israel, a study published on March 4 2026 by the Tel Aviv-based cybersecurity company Check Point claims to have detected hundreds of hacking attempts targeting consumer surveillance cameras in Israel and more broadly across the Middle East (Qatar, Bahrain, Kuwait, the United Arab Emirates, Lebanon), and even Cyprus, at dates that coincide with Iranian strikes.

Compared to more traditional intelligence methods (i.e., satellites and drones capturing aerial imagery), these urban cameras provide a novel richness of content. They capture ground-level details with more horizontal perspectives - for example, building entrances, streets, intersections, vehicle movements, or the presence of guards and military equipment.

Simple security vulnerabilities enabling hacking 

Attacks do not require complex resources to be effective. The most common method consists in exploiting vulnerabilities built into operating systems, or simply logging in using the default passwords supplied with the device when it leaves the factory (the same type of vulnarability that previously enabled access to connected toys and baby monitors mentioned above). The Check Point report reports that attempts to access cameras attributed to Iran specifically targeted certain vulnerabilities in products from two camera manufacturers (Hikvision and Dahua).

These attacks are facilitated by the fact that many cameras installed in public spaces and small businesses suffer from what experts call “digital negligence”. Users, when not required to do so, fail to change the default administrator password set at the factory, neglect software updates, or configure the device in such a way that anyone who knows its IP address can easily access the login page.

Remote access to cameras is not new: the website Shodan, created in 2009, is a search engine for Internet-connected devices that have a visible IP address on the network, including cameras.

The development of private video surveillance and domestic uses represents a risk

The CNIL has observed in recent years a strong increase in the use of surveillance cameras installed in shops to monitor buildings, as well as those deployed by private individuals. These devices are often the same as those that have been targeted in attacks.

At a macro level, on a national level, the risk of attacks on internet-connected video surveillance networks in France is similar to that observed in other countries, as long as cameras installed by individuals and businesses are connected and poorly secured.

At a micro level, concerning individual rights, these same security vulnerabilities can also be exploited by malicious actors, who may gain access to images and private, even intimate, conversations, as the CNIL has already highlighted in previous cases.

The evolution of these technologies is also likely to generate other types of privacy risks. In the United States, an advertisement for a new feature in Ring cameras sparked controversy and was ultimately withdrawn. The company had planned to offer a “lost dog recognition” system called “Search Party,” which many immediately saw as a precursor to facial recognition technology.

The accumulation of such examples involving misuse and the resulting risks to privacy should collectively alert us to the need to limit their use and, at the very least, to take their security seriously.