By NHI Mgmt Group Editorial TeamPublished 2026-04-03Domain: Breaches & IncidentsSource: Elisity

TL;DR: Iranian state actors used five known Hikvision and Dahua vulnerabilities to turn IP cameras into reconnaissance tools during military operations, with Check Point documenting hundreds of compromise attempts across multiple countries. The attack shows why static segmentation, weak credential ownership, and invisible IoT devices leave lateral movement paths open.


At a glance

What this is: This analysis shows how compromised IoT cameras can become unmonitored footholds for lateral movement and operational reconnaissance.

Why it matters: It matters because IAM and security teams must treat device identity, access scope, and east-west containment as core controls for unmanaged IoT populations, not as network afterthoughts.

By the numbers:

👉 Read Elisity's analysis of IoT camera security and lateral movement risk


Context

IoT camera security fails when organisations treat embedded devices as ordinary network endpoints. Cameras, badge readers, and similar devices often lack agent support, rely on weak or default credentials, and sit in broadly trusted network zones that attackers can abuse once a device is compromised. The primary keyword here is IoT camera security, and the article argues that the real control gap is not visibility alone but containment.

That gap matters to identity programmes because device identity and access scope are now part of lateral movement defence. When a camera can talk to more than its intended management and video services, the problem is not just segmentation hygiene. It is a governance failure over what that device is allowed to reach, how long it stays trusted, and who owns its lifecycle.


Key questions

Q: What breaks when IoT devices rely on VLANs for security?

A: VLANs break down because they group devices by location rather than by trust, and they usually allow broad east-west communication inside the same segment. If one camera is compromised, the attacker can often scan and pivot to every other device in that zone. That makes VLANs useful for organisation, but weak for containment.

Q: Why do unmanaged cameras complicate identity and access governance?

A: Unmanaged cameras complicate governance because they still have identities, credentials, and access paths, but those controls are often owned by no one. If default passwords, shared accounts, or long-lived secrets are not assigned clear lifecycle ownership, the device becomes a persistent trust gap. The control problem is identity without stewardship.

Q: How do security teams stop IoT devices from becoming lateral movement footholds?

A: Security teams should deny broad internal reach from IoT devices and enforce per-device policy based on what each device must access. Containment should happen at the network edge, with monitoring for discovery behaviour, unexpected remote services, and unusual outbound connections. The goal is to limit the blast radius before compromise spreads.

Q: Who is accountable when an IoT device is used for internal reconnaissance?

A: Accountability should be shared across the teams that own the device, the network path, and the security policy, but one function must be designated to manage the lifecycle. If nobody owns credential rotation, segmentation, and offboarding, the organisation has created a governance vacuum. That vacuum is what attackers exploit.


Technical breakdown

Compromised IoT cameras as east-west pivot points

Embedded cameras are attractive to attackers because they sit inside the network perimeter while often lacking endpoint controls, strong authentication, and ongoing monitoring. Once code execution is gained through a known vulnerability, the device can scan adjacent subnets, enumerate services, and relay traffic to higher-value systems. The technical issue is not only initial compromise. It is that the device can operate as a stable, low-visibility bridge into internal systems while looking like ordinary camera traffic.

Practical implication: restrict every camera to explicit destination and port allowlists, not broad VLAN trust.

Why VLANs, ACLs, and NAC break down for IoT device security

VLANs create coarse zones, ACLs become unmanageable at scale, and NAC tools often assume interactive endpoints that can authenticate, attest, and comply. IoT devices frequently cannot support 802.1X, EDR, or agent-based policy checks, so those controls either fall back to weak methods or become operationally brittle. The result is a control stack designed for laptops being stretched across devices that behave very differently, leaving east-west movement path open once one device is taken over.

Practical implication: move IoT segmentation to identity-based enforcement that follows the device, not the port.

Identity-based microsegmentation for unmanaged devices

Identity-based microsegmentation uses passive discovery and behavioural classification to build device identity from traffic patterns, fingerprints, and observed services. Policy is then applied per device or device class, so a camera can reach only its video management server and required management services. This is the core architectural shift: trust is no longer inferred from network location. It is continuously checked against what the device is and what it is doing.

Practical implication: enforce per-device policy at the network edge and continuously verify behaviour anomalies.


Threat narrative

Attacker objective: The attacker objective is to convert a low-value surveillance device into an internal foothold that enables reconnaissance, lateral movement, and mission-supporting intelligence collection.

  1. Entry begins with exploitation of one of the documented Hikvision or Dahua vulnerabilities on an internet-exposed camera, giving the attacker code execution on a device inside the network.
  2. Escalation occurs when the attacker uses the compromised camera to scan adjacent systems and pivot through overpermissive east-west access into other hosts and services.
  3. Impact follows when the camera becomes a persistent reconnaissance platform that supports broader operational intelligence collection and exfiltration, including support for kinetic operations.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

IoT camera compromise is really a device identity governance problem. The article shows that the issue is not simply vulnerable firmware but the absence of precise control over what a device is allowed to do once it joins the network. When a camera can initiate discovery or lateral movement, network location has become an unreliable trust signal. For IAM and NHI teams, this is the same governance problem seen with unmanaged service identities: if identity is not tied to behaviour and lifecycle, access expands by default. Practitioners should treat device identity as an enforceable policy boundary.

Static segmentation is no longer a credible containment model for unmanaged devices. VLANs and broad ACLs create zones, not blast-radius control. The article’s example shows why that matters: once one IoT device is compromised, any shared trust zone becomes a launch pad for internal movement. This is not a tooling failure alone. It is an assumption failure that network placement equals security. Practitioners should re-evaluate whether their segmentation design can still contain east-west abuse after initial compromise.

Identity-based microsegmentation is the named concept this incident makes unavoidable. The right model is not just smaller network segments, but policy that follows the device identity and observed behaviour wherever it connects. That matters because the article’s cameras were useful precisely because they were trusted too broadly for too long. In governance terms, the control objective is not visibility after compromise. It is limiting what a compromised device can reach before the attacker can turn it into a pivot point. Practitioners should align controls to per-device trust and continuous verification.

The credential lifecycle gap around IoT devices is a hidden control failure. The article repeatedly points to default credentials, hardcoded access, and unclear ownership between IT and facilities. That is an IAM problem even when the device is not a traditional user account. If no one owns secret rotation, revocation, and offboarding for embedded devices, compromise windows remain open for years. Practitioners should put device credentials, not only human accounts, under formal identity governance.

Visibility without containment will not stop the next camera compromise. Many programmes can now see their IoT estate, but visibility alone does not prevent an attacker from using it as a bridge. The article shows that the decisive control is the ability to deny east-west movement from a compromised device. That is where NIST-CSF, MITRE ATT&CK, and NHI-style lifecycle thinking converge in practice. Practitioners should measure success by reduced reachability, not by inventory size.

From our research:

What this signals

Device identity must now be treated as an enforcement primitive, not an inventory label. IoT programmes that stop at discovery will continue to miss the real risk, which is uncontrolled reachability after compromise. The practical shift is to connect device classification to policy, so a camera or controller can only talk to the services it genuinely needs, and nothing else.

Standing trust in unmanaged devices is the new hidden privilege problem. When credentials, segmentation, and network paths remain static for years, compromise windows stay open long enough for attackers to use them operationally. That is why lifecycle discipline, not just detection, should shape camera and IoT governance.

Identity-based microsegmentation and NHI governance are converging around the same operational question: what is this thing allowed to reach right now? The more programmes can answer that question continuously, the less likely a compromised device becomes an internal reconnaissance platform. For readers, the next step is to align device policy with 52 NHI Breaches Analysis and zero-trust design expectations.


For practitioners

  • Map every camera to an explicit trust boundary Build per-device allowlists that specify exactly which video management, update, and management services a camera may reach. Remove any broad access to file shares, administrative interfaces, or adjacent user VLANs, and validate the rules with live traffic captures.
  • Assign ownership for device credential lifecycle Create named ownership for camera and IoT credentials so default passwords, shared accounts, and stale secrets are rotated and revoked on schedule. Tie onboarding and offboarding to facilities, network, and security workflows so no device sits in an unowned state.
  • Replace VLAN trust with identity-based segmentation Use identity-based microsegmentation to enforce policy at the network edge, based on device type and observed behaviour rather than switch port or subnet. This lets you contain compromised devices without relying on endpoint agents that cameras cannot support.
  • Monitor for discovery behaviour from low-risk devices Alert when cameras or other embedded devices start scanning subnets, opening remote services, or initiating unexpected outbound connections. Those behaviours often indicate the shift from passive compromise to active lateral movement.
  • Review unmanaged device exposure after every site change Reassess camera placement, switch moves, and building network changes as security events, not just facilities tasks. Topology drift often reopens paths that previously looked contained.

Key takeaways

  • Compromised IoT cameras can act as internal reconnaissance platforms, which makes east-west containment a first-order control requirement.
  • The evidence points to a governance failure as much as a technical one, with broad trust zones, weak credential ownership, and invisible devices all widening attack paths.
  • Identity-based microsegmentation and formal device credential lifecycle ownership are the controls most likely to reduce blast radius in this threat pattern.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0001 , Initial Access; TA0007 , Discovery; TA0008 , Lateral Movement; TA0042 , Resource DevelopmentThe article maps the camera compromise to a clear attack chain with discovery and lateral movement.
NIST CSF 2.0PR.AC-4Per-device access limits and segmentation align with access control outcomes in the framework.
NIST SP 800-53 Rev 5AC-4AC-4 directly supports information flow enforcement between camera segments and higher-value systems.
CIS Controls v8CIS-12 , Network Infrastructure ManagementThe attack exposed weaknesses in network segmentation and infrastructure governance.
NIST Zero Trust (SP 800-207)The article argues for continuous verification and reduced implicit trust across device paths.

Map exposed cameras to ATT&CK stages and block the transition from initial access to internal discovery.


Key terms

  • Identity-Based Microsegmentation: Identity-based microsegmentation is a network control model that limits each device to only the specific services it needs. Instead of trusting a subnet or VLAN, policy follows the device identity and its observed behaviour, which reduces the blast radius when embedded systems are compromised.
  • East-West Traffic: East-west traffic is communication between devices inside the internal network, not traffic entering or leaving the organisation. It matters because attackers who compromise one device often move laterally through internal connections that perimeter tools do not inspect closely enough.
  • Device Credential Lifecycle: Device credential lifecycle is the end-to-end management of secrets, certificates, and access tokens used by embedded systems. It includes provisioning, rotation, revocation, and offboarding, and it is essential when no human operator directly logs into the device each day.
  • Lateral Movement: Lateral movement is the process an attacker uses to pivot from one compromised system to others inside the environment. In IoT environments, it often begins with a low-value device and expands toward systems that store data, control operations, or support broader access.

What's in the full article

Elisity's full blog covers the operational detail this post intentionally leaves for the source:

  • A device-by-device segmentation framework for cameras, badge readers, and other embedded systems.
  • The operational reasons VLANs, ACLs, and NAC controls fail when applied to IoT estates.
  • Examples of attacker lateral movement stages mapped to specific MITRE ATT&CK techniques.
  • Implementation guidance for identity-based microsegmentation in enterprise networks.

👉 Elisity's full post covers the attack chain, segmentation failures, and microsegmentation model in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a structured way to connect lifecycle control to broader identity and access decisions.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org