When IP Cameras Become Weapons: Amazon Research Finding

Amazon Threat Intelligence has released new findings that should concern every organization operating connected devices. Presented at CYBERWARCON 2025 and detailed in Amazon’s security blog, the research outlines how nation-state actors have used compromised IP cameras and other exposed sensors to support missile targeting and pre-attack reconnaissance. This is not speculation. It is documented activity observed in the wild, with clear evidence of cyber techniques supporting real-world physical operations.

The research underscores an uncomfortable truth that defenders have been slow to accept. IP Cameras, sensors, and other xIoT (extended Internet of Things, including Operational Technology, Internet of Medical Things, and Internet of Things) systems are now part of the modern battlefield, whether that battlefield is geopolitical or corporate. The Amazon team describes how attackers exploited live CCTV feeds, vessel-tracking systems, and other unmanaged devices to gather targeting intelligence, coordinate timing, and refine strike plans. What makes this alarming is not the sophistication, but the simplicity. Attackers are exploiting the same vulnerabilities that we encounter in enterprise networks every day.

This blog is not about military conflict. It is about security fundamentals that remain neglected across the connected device ecosystem. The same class of vulnerabilities that enable a missile strike can enable a ransomware outbreak, data exfiltration, or operational shutdown. The vector is identical. The stakes differ only by environment.

Why IP Cameras Continue to Be Easy Targets

IP cameras present a near-perfect blend of opportunity and neglect. They are deployed everywhere, often without centralized ownership. They frequently run outdated firmware. Many still use default credentials. Network segmentation is inconsistent. And they provide visibility into physical environments that attackers value.

SonicWall tracked 17 million attacks on IP cameras in 2024, underscoring the aggressive targeting of these devices across various industries.

We have seen similar patterns in enterprise incidents. During the Akira ransomware chain, an unsecured IP webcam became the pivot point after EDR successfully blocked the attacker’s Windows malware. From that single device, attackers mounted network shares and deployed ransomware across the victim’s environment.

The Amazon research is the most striking illustration yet. If a compromised camera can meaningfully support kinetic operations, the same weaknesses certainly place corporate networks, operational systems, and critical infrastructure at risk.

The Overlooked Risk: Chinese Backdoored Firmware Hidden Inside IP Cameras and Other Devices

The Amazon research highlights how attackers exploit exposed cameras, aligning with a persistent risk we have uncovered in enterprise environments. IP cameras are one of the most common sources of Chinese backdoored firmware present on corporate networks. Even when they’re sold under Western branding or appear as generic OEM hardware, many still run firmware linked to U.S. NDAA Section 889-banned manufacturers like Dahua or Hikvision. These vulnerabilities are often undocumented, easily exploitable, and invisible to legacy discovery tools that rely on MAC/OUI lookups instead of interrogating the device’s firmware.

This creates a silent exposure. Organizations believe they’ve removed high-risk devices, yet the firmware tells a different story. And while Amazon’s findings focus on how compromised cameras can support physical operations, the underlying weakness remains the same: attackers exploit devices that were never properly secured.

Accurate identification is essential. Phosphorus Intelligent Active Discovery interacts directly with each device to determine its true origin, firmware lineage, and security posture, even when branding is disguised or white-labeled. When we confirm backdoored or banned devices, security teams can safely disable or remove them at scale, thereby eliminating a class of risk that attackers increasingly rely on.

IP cameras make the issue impossible to ignore. They are everywhere, rarely maintained, and too often shipped with compromised firmware. Without deep, firmware-level visibility, these risks stay hidden long after installation.

Discovery Is Not Enough: Action Is What Reduces Risk

The Amazon research makes one point impossible to ignore. Finding vulnerable devices is not the goal. Fixing them is. Attackers are not breaking into environments because organizations lack inventory tools. They succeed because the devices identified during discovery are rarely remediated. Default passwords remain unchanged. Firmware remains years out of date. Insecure services stay enabled. High-risk and banned devices stay online.

This gap between visibility and action is where most compromises occur.

Legacy tools stop at identifying devices. They cannot rotate credentials, patch firmware, fix expired certificates, or harden configurations. That leaves security teams with a list of issues but no practical way to resolve them at scale.

Phosphorus closes that gap. After discovery, the platform performs the work that actually reduces risk:

Rotate default and weak credentials automatically
Upgrade (or downgrade) vulnerable firmware
Update expired or self-signed certificates
Disable insecure services and enforce secure configurations
Safely disable or remove banned and backdoored devices
Continuously monitor for drift so devices do not fall back into unsafe states

Discovery tells you where the risks are. Action eliminates them. In the current threat landscape, where attackers exploit these weaknesses for both cyber operations and real-world targeting, remediation is no longer optional. It is the only path to reducing xIoT risk at scale.

The Core Problem: xIoT Devices Operate in the Dark

Across our work, Phosphorus has scanned more than 6.5 billion IP addresses on behalf of our customers, and the pattern is always the same. Unknown devices, unmanaged environments, and high-risk vulnerabilities create fertile ground for exploitation.

The numbers tell a consistent story:

70 percent of xIoT devices use default credentials.

Default Credentials 70%

68 percent run outdated or vulnerable firmware.

Vulnerable Firmware 68%

26 percent are already end-of-life.

End-of-Life 26%

These weaknesses are not edge cases. They are systemic. When cameras are deployed with exposed services, default passwords, and outdated firmware, attackers do not need to innovate. They simply need a target.

Connected Devices: No Longer Passive Endpoints

The Amazon findings spotlight a broader reality: connected devices are no longer passive endpoints. They influence physical outcomes. They shape operational integrity. And if compromised, they create risk that extends far beyond the traditional IT domain.

Three issues drive nearly all xIoT compromises:

1. Default or weak credentials

Why break in when adversaries can log in? Attackers do not need to guess what they already know. Enterprise-wide credential rotation eliminates a primary entry point and must be automated, rather than performed manually at scale.

2. Outdated firmware and exploitable CVEs

Firmware vulnerabilities are persistent, well-documented, and widely exploited. Continuous firmware discovery, scoring against KEV and EPSS systems, and automated updating prevent attackers from relying on years-old exploits.

3. Lack of accurate device visibility

You cannot secure devices you do not know you have. Legacy passive scanners often fail to detect or misclassify devices. Phosphorus identifies real device identity, firmware lineage, and risk posture with accuracy that passive tools cannot match, and does it in a fraction of the time.

Practical Steps Every Organization Should Take Immediately

Establish accurate xIoT inventory
Shadow devices drive shadow risk. Active, safe discovery is now fundamental.

Eliminate default credentials
Automated rotation ensures credentials cannot be reused, reset, or exploited at scale.

Enforce secure configurations
Disable Telnet, FTP, and other unnecessary services. Standardize configurations across device families.

Modernize firmware lifecycle management
Continuously assess, update, and validate firmware integrity across every connected device.

Monitor for device drift
Passwords reset. Firmware downgrades. Certificates expire. Automated device drift detection closes the windows that attackers rely on.

The Broader Message: The Line Between Cyber and Physical Has Collapsed

The Amazon Threat Intelligence research presented at CYBERWARCON 2025 did not reveal a new class of threat. It revealed the consequences of failing to secure technologies that have been vulnerable for years.

Whether through reconnaissance that aids a missile strike or lateral movement that enables ransomware, the catalyst is the same: unmanaged, unmonitored, and insecure connected devices.

Enterprises must now treat cameras, sensors, controllers, and other xIoT devices with the same rigor as traditional IT assets. The attack surface has expanded. The risks have evolved. The tools and processes must follow.

If your organization needs to eliminate unknown devices, harden high-risk systems, or bring xIoT security into operational alignment with the rest of your cybersecurity strategy, Phosphorus can help.

Author

Phosphorus Cybersecurity

Phosphorus Cybersecurity® is the leading xTended Security of Things™ platform designed to find, fix, and monitor the rapidly growing and often unmonitored Things of the enterprise xIoT landscape.

FIX

INDUSTRY USE CASES

.

.

LEARN

.

MORE RESOURCES

When IP Cameras Become Weapons: What the Latest Amazon Research Reveals About a Global Security Blind Spot