Security Camera Botnet Attacks: How Your Camera Could Be Turned Against You

A security camera botnet attack is one of the most insidious cyber threats facing IoT device owners today. The device you installed to protect your property could be silently conscripted into a criminal network — a botnet — and used to attack websites, businesses, and critical infrastructure without your knowledge. Your camera continues to function normally, recording footage and responding to your app, while simultaneously participating in large-scale cyberattacks directed by criminals who have taken control of its underlying operating system.

This is not a hypothetical scenario. The Mirai botnet, first discovered in 2016, recruited hundreds of thousands of security cameras, DVRs, and routers into a network that launched some of the largest distributed denial-of-service (DDoS) attacks in internet history. Its descendants and imitators continue to operate in 2026, and New Zealand devices are among their targets. Understanding how botnets recruit cameras, how to detect compromise, and how to protect your devices is essential knowledge for anyone operating networked security equipment.

How Botnets Recruit Security Cameras

The process by which a security camera becomes part of a botnet follows a well-established pattern that exploits common security oversights.

Step 1: Scanning

Botnet operators run automated scanning tools that sweep the internet, probing every IP address for devices with open network ports. When the scanner finds a device responding on ports commonly used by security cameras and DVRs — such as port 80 (HTTP), 443 (HTTPS), 554 (RTSP), or 37777 (Dahua) — it identifies the device as a potential recruit.

These scans are continuous and global. Every public-facing IP address in New Zealand is probed hundreds of times per day by various scanning operations. If your camera or NVR is accessible from the internet — whether through intentional port forwarding or through UPnP automatically opening ports — it is being probed.

Step 2: Credential Testing

Once a camera is identified, the botnet’s automated tools attempt to log in using default credentials. They maintain databases of factory default usernames and passwords for every major camera manufacturer — admin/admin, admin/12345, root/pass, and thousands more. If the device is still running its factory default credentials, the bot logs in successfully.

More sophisticated botnets also attempt brute-force attacks against devices with changed but weak passwords. Short passwords, dictionary words, and common patterns like “Camera1” or “Security2024” fall quickly to automated password-cracking tools.

Step 3: Infection

With administrative access obtained, the bot downloads and executes malware on the camera’s embedded Linux operating system. The malware establishes a persistent connection back to a command-and-control (C2) server operated by the botnet controller. The camera is now a soldier in the botnet army, awaiting instructions.

Step 4: Weaponisation

When the botnet controller directs an attack, each infected device receives instructions to send network traffic to a specific target. With tens or hundreds of thousands of devices all sending traffic simultaneously, the combined flood overwhelms the target’s network capacity — a distributed denial-of-service (DDoS) attack that can take down websites, online services, and even internet infrastructure providers.

Why New Zealand Devices Are Targets

New Zealand’s internet infrastructure makes local devices attractive to botnet operators for several reasons.

High-quality internet connections: New Zealand’s fibre broadband delivers fast upload speeds, which means an infected device in New Zealand can contribute more attack traffic per device than one on a slow connection elsewhere. Botnet operators prefer devices with fast, reliable internet connections because each recruit contributes more to the total attack volume.

Geographic diversity: DDoS attacks are more effective when they come from geographically diverse sources. Devices in New Zealand add Southern Hemisphere diversity to botnets that might otherwise be concentrated in North America, Europe, or Asia, making the attack traffic harder to filter based on geographic origin.

Relatively low cybersecurity awareness: While New Zealand has a strong IT sector, cybersecurity awareness among residential and small business security camera owners lags behind larger markets. Default passwords and unpatched firmware are more prevalent than in markets where cybersecurity education has been more aggressive.

How to Check If Your Camera Has Been Compromised

Detecting a compromised security camera is not straightforward because the botnet malware is designed to be invisible. The camera continues to function normally — recording, streaming, and responding to your app — while the malicious activity runs in the background. However, several indicators can suggest compromise:

Network Traffic Anomalies

A compromised camera generates unusual network traffic as it communicates with the botnet’s command-and-control server and participates in attacks. Check your router’s traffic monitoring for:

• Unusually high data usage from camera devices, particularly upload traffic that exceeds what video streaming to your NVR or cloud service should require
• Connections to unknown IP addresses, particularly in countries where your camera’s cloud services are not hosted
• Traffic spikes at unusual times, especially if the camera generates significant traffic when no motion events are occurring

Performance Degradation

When a camera’s processor is partially consumed by botnet activity, you may notice subtle performance impacts:

• Slower response when accessing the camera’s web interface
• Occasional frame drops or reduced video quality during live viewing
• Delayed motion alert notifications
• The camera’s processor temperature running higher than expected (visible in the camera’s system diagnostics on some models)

Configuration Changes

Some botnet malware modifies device settings to maintain access or disable security features. Check for:

• New user accounts that you did not create
• Changed network settings, particularly DNS server configurations that redirect traffic through attacker-controlled servers
• Disabled firmware update features
• Modified firewall rules within the camera’s settings

How to Protect Your Cameras from Botnet Recruitment

The protective measures are straightforward and effective. The vast majority of botnet infections exploit basic security oversights that are easily corrected.

Change Default Passwords Immediately

This single action blocks the primary infection vector used by most botnets. Use a strong, unique password for every camera and NVR — at least 12 characters with a combination of letters, numbers, and symbols. Do not use the same password across multiple devices.

Keep Firmware Updated

Firmware updates from manufacturers frequently patch the vulnerabilities that botnet malware exploits. Check for and apply firmware updates at least quarterly. Enable automatic updates where available.

Do Not Expose Cameras Directly to the Internet

Remove any port forwarding rules that expose camera web interfaces directly to the internet. Disable UPnP on your router to prevent cameras from automatically opening ports. For remote access, use the manufacturer’s P2P cloud service or a VPN — both methods keep the camera behind the firewall while enabling remote viewing.

Segment Your Network

Place cameras on a separate network segment (VLAN or guest network) from your computers and personal devices. If a camera is compromised despite your precautions, network segmentation prevents the attacker from reaching more valuable targets on your primary network.

Monitor Network Traffic

Regularly review the traffic patterns of your IoT devices. Many modern routers provide per-device bandwidth monitoring that makes it easy to spot anomalies. A camera that suddenly begins using five times its normal bandwidth warrants investigation.

The irony of a security camera being weaponised against others is not lost on the cybersecurity community. The device intended to protect your property becomes a tool for attacking someone else’s. Proper password management, firmware updates, and network configuration prevent this scenario entirely.

What to Do If You Suspect Compromise

If you believe a camera or NVR has been compromised, take the following steps:

Disconnect the device from the network immediately. This cuts the device off from the botnet’s command-and-control server and stops any ongoing attack participation.

Factory reset the device. Most botnet malware resides in the camera’s volatile memory and does not survive a factory reset. Perform a full reset to manufacturer defaults.

Update the firmware before reconnecting. Download the latest firmware from the manufacturer’s official website and apply it to the reset device before connecting it back to the network. This patches the vulnerability that was exploited.

Configure with strong credentials. Set a new, strong, unique password before putting the device back online. Review all security settings and disable any services that are not needed.

Review your entire network. If one device was compromised, others may be as well. Check all cameras, NVRs, and IoT devices for the indicators described above.

For New Zealand camera owners, the botnet threat is real but entirely preventable. The same basic cybersecurity hygiene that protects against most cyber threats — strong passwords, updated firmware, and responsible network configuration — effectively eliminates the risk of botnet recruitment. The cameras you installed to improve your security should not be allowed to become someone else’s weapon. A few minutes of configuration ensures they never will.