PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Hackers Can Take Over Your Security Cameras—and It’s Easier Than You Think

Government agencies, schools, and hospitals install security cameras to protect their clients and their own integrity. But as one research team discovered at the Black Hat security conference this year, those cameras can pose a security risk.

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: PCMag Composite; O2O Creative, Bevan Goldswain/E+ via Getty Images)

LAS VEGAS—You install surveillance cameras to protect the security and privacy of your home or business. If someone commits a break-in, you have a video record. But what if you’re not the only one watching those cameras? What if the camera is vulnerable to hacking? You may not be the only one who can tap into the camera’s feed, and at the Black Hat security conference, security researchers revealed exactly how easy it can be.

Noam Moshe, vulnerability researcher with cyber-physical security firm Claroty and member of Claroty’s Team82, did a deep dive into cameras made by Axis Communications, a Swedish company and a major producer of security cameras and related hardware. Axis operates above the consumer level, supplying security for governments, schools, hospitals, and Fortune 500 companies (aka, you won’t find it in our roundup of consumer-oriented home security cameras).

Moshe found some serious problems, which he presented to attendees. But don’t run to throw a towel over your cameras. Axis has patched the flaws in its software, so as long as you get the update, you should be fine. As for the next hack (and there will be a next hack), we can only hope it’s found by Moshe and his team, not by hackers with bad intentions.

Easy Remote Camera Control Means Others Get Easy Access, Too

“My day job is to look for vulnerabilities on all sorts of devices, and responsibly disclose them,” said Moshe. “It’s my playground.” This particular project began when he scanned the internet for unsecured ports and discovered some of them using an unfamiliar service called axis.remoting. “When I see a service that’s esoteric, that’s my cue,” Moshe explained.

He said that Axis is a major security camera vendor for large companies with hundreds of cameras in multiple locations. Remote access is a must, and Axis offers two versions, one that’s extremely secure and expensive, and one that’s less expensive but exposes the axis.remoting service he discovered. Naturally, the latter is more popular.

Moshe explained that the Axis software grants its own device manager complete control over your fleet of cameras, and that can lead to problems (and unintentional access to other people's cameras, too). “Then Axis Camera Station comes into play. From one central location, you can consume all the live feeds,” he explained. The team focused on hacking these server-side apps, their client apps, and, of course, the cameras.

(Credit: Claroty/Axis)

As with many Black Hat presentations, Moshe’s success came from working through endless mistakes and blind alleys. Eventually, he parlayed his access to the point of taking full control of all the security cameras, which are basically tiny Linux computers.

Recommended by Our Editors

How We Test Phones
How We Test Phones
The Best Robot Lawn Mowers for 2026
The Best Robot Lawn Mowers for 2026
The Best Ergonomic Keyboards for 2026
The Best Ergonomic Keyboards for 2026

With that degree of control in place, he extended the hack to the servers running Axis Device Manager and Axis Camera Station. “We can now execute code on the client, the server, and all the cameras,” he exulted. Remote execution of arbitrary code, essentially making a device do whatever you want because you can access it completely, is the holy grail of hacking, so this was a huge success.

(Credit: Claroty/Axis)

Who Is Vulnerable?

“Who is vulnerable to such an attack?” asked Moshe. He used the device-level search engine Shodan to seek servers that expose the axis.remoting protocol. “I discovered 6,500 servers, 4,000 of them in the US,” he explained. “But who is sitting behind these servers?” He showed that a simple query revealed the server’s name, from which he could identify the company.

“Why do we see so many?” he continued. “This field is less and less open. Many Chinese companies are banned in the US and Europe.” Axis Communications is based in Sweden, so it seems secure.

Moshe mentioned responsible disclosure at the start of the talk. When he disclosed his findings to Axis, the company responded in 10 minutes and got busy patching. “Axis was probably one of the swiftest responses I’ve had,” said Moshe. “But we need to make sure we are applying those security patches.”

This is the best possible outcome—researchers find a security flaw and notify the company, and a security patch quickly appears. But Moshe and his team keep seeking new flaws, as do teams of hackers. We can only hope the white hat teams reach the goal first. It's even more reason to pay attention to good cybersecurity hygiene, whether you're a big company or an at-home user.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio