As the military conflict in the Middle East escalated in late February 2026, security researchers detected something unusual: a surge in digital attacks against ordinary street cameras. Within days, according to Check Point Research, hundreds of these intrusion attempts had been targeted at Hikvision and Dahua surveillance systems across Israel, Qatar, Bahrain, Cyprus, and other regions experiencing active conflict. The timing was no coincidence. The hacking campaign aligned precisely with Iran's missile and drone strikes, suggesting military units were using compromised cameras to gather reconnaissance, assess damage, and plan subsequent attacks.
This is not an isolated incident.Experts believe the camera hacks were meant to gain access to street level imagery across desired targeting areas, assess impact damage, and collect evidence of a successful attack to use in military reports and propaganda videos. During the 2025 Israel-Iran conflict, Iranian operators gained access to a street camera overlooking Israel's Weizmann Institute of Science minutes before a ballistic missile strike. Ukrainian and Russian forces have been trading control of cameras across their contested borders. Even Hamas hackers attempted to hijack Israeli surveillance systems following the October 2023 escalation.
What makes this tactic particularly worrying is its cost-effectiveness and accessibility.Analysts assess that the Iranian operators may be compromising cameras to obtain battle damage assessment following missile strikes or to support targeting calibration before launches consistent with Tehran's broader doctrine of integrating cyber capabilities with military operations. A hacked camera provides superior tactical information compared to satellite imagery or drones, yet requires minimal investment. It avoids air defences. It offers ground-level perspectives that overhead surveillance cannot match. For any military planner, the logic is obvious.
The Vulnerability Question
The cameras being exploited are not cutting-edge military systems. They are mass-market devices installed on building facades, street corners, and critical infrastructure across every country.All of these security flaws have patches. Each vulnerability targeted in the recent campaign was discovered between 2017 and 2025. Years of fixes were available. Yetmany devices remain unpatched and directly accessible from the internet, creating easy entry points.
This is the core problem: accountability is fractured. The camera manufacturer (Hikvision or Dahua) releases patches. The system owner chooses whether to install them. The municipality or business deploying the camera rarely performs the update. The person whose home is monitored has no say in any of this chain. As cybersecurity researcher Beau Woods has observed, the victim and the device owner are not the same person. The incentive to secure the camera falls on no one in particular.
When a Hikvision camera becomes a conduit for military surveillance, no single actor bears clear responsibility. The manufacturer argues it provided patches. The owner claims insufficient technical expertise or awareness. The government that issued no mandatory security standards sits on the sidelines. This diffusion of accountability is the central governance failure underlying the problem.
A Pragmatic Path Forward
Critics from the left will correctly point out that profit-driven manufacturers have cut corners on security to compete on price. They have a point. Hikvision and Dahua have been criticised for over a decade regarding cybersecurity practices and human rights concerns. Manufacturers should bear more responsibility for shipped devices.
Those on the right will counter that individuals and organisations must take basic hygiene steps: change default passwords, segment networks, monitor for unusual access. This too is valid. Personal responsibility matters.
Yet neither argument resolves the fundamental issue. Consumer-grade IoT devices cannot be secured through voluntary manufacturer initiative alone, nor through user diligence when users lack technical expertise. The solution requires coordinated action: mandatory firmware updates, network isolation standards, transparency requirements, and clearer liability frameworks. Australia should advocate for such standards within international forums rather than waiting for market forces or individual responsibility to fill the void.
The uncomfortable reality is that civilian surveillance infrastructure will continue to be weaponised in future conflicts unless governments, manufacturers, and device owners coordinate. The cost of inaction is borne by populations whose security depends on systems they do not control and do not maintain. That is an unacceptable asymmetry.