Sekurak [1] [ Polish portal providing substantive information on cyber security.] recently published an article about cameras at one of the railway stations being directly accessible from the internet. Comments such as ‘so what?’ quickly appeared under the post. At first glance, it may indeed seem that this is not a big deal – just an image from one camera.
The problem begins when we look at such data through the prism of today’s analytical capabilities. In the age of AI, image recognition and big data analysis, even a single video source can provide very valuable information: about the movement of people, behaviour patterns, meetings or logistics in a given place.
It is worth comparing this seemingly trivial situation with a recent report by The Telegraph, which stated: ‘Israel hacked Tehran’s traffic cameras to spy on Khamenei […] Israel hacked nearly all of Tehran’s traffic cameras to spy on Ali Khamenei before launching an attack to kill Iran’s supreme leader.’ This shows that camera infrastructure – especially when it covers public spaces – can have significance far beyond simple surveillance.
Even a single camera at a station, with audio enabled or not, can be a very valuable source of information. What is more, it is easy to be misled into thinking that such a device is only a passive sensor. In practice, however, an IP camera is nothing more than a small computer connected to a network.
This means that it often runs on an old, outdated operating system with a vulnerable web interface and many known security vulnerabilities. In such a scenario, the camera can become an entry point into the infrastructure, act as a jump host, enable network reconnaissance, and even lead to privilege escalation through vulnerabilities in the management interface (e.g., XSS or other classic web application errors).
In short, it is not just a camera. It is an element of IT infrastructure operating in a very sensitive location.
Additionally, I am willing to bet that the first thing the “administrator” of this camera did after receiving information that it was accessible from the Internet was to panic and log in from their workstation (with a million other tabs open, cached permissions, and perhaps even an administrative account). He logged into the unfortunate camera to check and “change the password”. If the editors of Sekurak could log into it, so could thousands of others. They might not have been so nice and could have modified its software and introduced malicious modifications to its code. Such devices should be treated as compromised and dangerous. Just as a doctor would treat a patient who came to a visit with bleeding tears and blisters on their skin.
And if we start to consider scenarios in which the compromise of such infrastructure could lead to real, kinetic effects in the physical world… that’s a topic for a separate post.