The New York State Intelligence Center (NYSIC) recently released a TLP:CLEAR cyber intelligence bulletin titled “Best Practices to Mitigate Threat Actor Targeting of IP Cameras.” The report highlights how internet protocol (IP) cameras and other internet of things (IoT) connected devices pose a significant vulnerability for organizations that utilize them and emphasizes the need for these organizations to implement certain mitigation strategies.

In December 2024, the FBI sent out a notification about an active campaign that leveraged default passwords, outdated firmware, and unoptimized configurations to gain access to Chinese-branded IP cameras and digital video recorders. Additionally, NYSIC assesses that third party technologies built into IoT devices may not be maintained in the long-term, therefore increasing the attack surface. Customers may not be fully aware of such technology and may dismiss certain vulnerabilities as not applicable to their devices.

Due to the widespread use of these devices, WaterISAC encourages members to review the recommendations included in the report and apply them to applicable IP cameras and IoT devices that are connected to their networks. WaterISAC further encourages members to investigate all components included with purchased IoT products. Having full awareness of all the products and components on your network will help keep these devices more secure.

Access the full NYSIC report below. 

Recommendations:

• Change default username/passwords, avoid weak credentials
• Maintain an accurate inventory of IoT devices including vendor, model, and software versions
• Patch and update software regularly