Cybercriminals Are Selling Access to Chinese Surveillance Cameras

One Critical Vulnerability, Tens of Thousands of Cameras Compromised

A massive cybersecurity crisis is quietly unfolding. Security researchers have discovered that cybercriminals are actively selling remote access to Chinese-made surveillance cameras on the dark web and underground forums. The root cause: tens of thousands of camera devices have failed to patch a critical CVE vulnerability that has been publicly disclosed for 11 months, rendering the security defenses of thousands of organizations worldwide virtually useless.

The severity of this vulnerability has been rated "critical" by security experts. Attackers can exploit it to gain full remote control of the cameras, including viewing live surveillance feeds, retrieving archived footage, and even using the cameras as a springboard to infiltrate an organization's internal network.

AI-Powered Surveillance Devices Become Prime Attack Targets

In recent years, with the deep integration of AI technology in the security sector, modern surveillance cameras are no longer simple recording devices. Smart cameras equipped with AI capabilities such as facial recognition, behavioral analysis, and object tracking have been widely deployed in government agencies, corporate campuses, public transportation systems, schools, hospitals, and other critical facilities. This means that once these devices are compromised, the breach extends far beyond video footage — it can also expose vast amounts of AI-processed structured data, including facial information, movement trajectories, behavioral patterns, and other highly sensitive personal data.

Security researchers note that the affected devices span an extremely wide range, covering multiple mainstream brands and models. Criminals are selling access credentials to these cameras in bulk on the dark web at remarkably low prices. Some "packages" are even categorized and bundled by region and industry, with clearly listed prices — a fully mature black market supply chain.

11 Months Unpatched: Who Should Be Held Accountable?

What makes this situation particularly alarming is that patches were released by manufacturers long ago, yet a vast number of devices remain unupdated. The reasons behind this predicament are multifaceted:

First, device management is fragmented. Many surveillance cameras fall into a "deploy and forget" state after installation, lacking ongoing maintenance and security update mechanisms. Small and medium-sized organizations, in particular, often lack dedicated IT security teams to track and address device vulnerabilities.

Second, firmware update mechanisms are outdated. Unlike smartphones and computers, a large number of IoT devices lack automatic update capabilities. Firmware upgrades require manual intervention, involve cumbersome processes, and carry the risk of "bricking" the device, discouraging administrators from applying updates.

Third, the supply chain is complex. Chinese-made surveillance equipment enters the global market through multiple layers of distributors and integrators, making it difficult for vulnerability notifications to effectively reach end users.

Fourth, security awareness is weak. Many users still rely on factory-default passwords and even expose devices directly to the public internet without any firewall or VPN protection.

The AI Security Industry Faces a Trust Crisis

This incident once again sounds the alarm for security in the AI surveillance sector. Ironically, devices designed to protect security have themselves become entry points for security threats. This not only damages the brand reputation of the manufacturers involved but also plunges the entire AI security industry into a trust crisis.

From a broader perspective, this incident reflects deep-seated issues in IoT security governance. According to industry estimates, there are currently over one billion active surveillance cameras worldwide, a significant proportion of which run outdated firmware with known but unpatched security vulnerabilities. As AI capabilities continue to grow, the data these devices collect and process becomes increasingly sensitive, and security risks are amplifying exponentially.

Cybersecurity agencies in multiple countries have issued warnings, advising organizations to immediately audit their deployed surveillance devices, prioritize patching known vulnerabilities, change default credentials, and operate devices within isolated network segments.

Looking Ahead: Security and Intelligence Must Go Hand in Hand

The lesson from this incident is clear: the pursuit of "intelligence" in AI security devices must not come at the expense of "security." Going forward, the industry needs to make sustained efforts in several key areas:

• Mandatory security baseline standards: Push for the establishment of minimum security requirements for IoT devices, including enforced password policies, encrypted communications, and automatic update capabilities.
• Full lifecycle security management: From manufacturing to decommissioning, establish comprehensive security operations processes to ensure vulnerabilities are identified and remediated promptly.
• AI-powered security defense: Leverage AI technology itself to detect anomalous access behavior and enable proactive defense at the device level.
• Supply chain security transparency: Build a security traceability framework from chip to cloud, giving end users clear visibility into the security status of their devices.

In an era where AI and surveillance are deeply intertwined, every networked camera can become a frontline battleground in the ongoing cyber offensive-defensive struggle. Only by truly embedding security awareness into every stage of product design and operational management can we prevent the paradox of "security devices becoming security liabilities" from repeating itself.