A surveillance camera, an access control reader and an alarm panel are bought to reduce risk. Increasingly, when they are poorly secured, they add to it. The same network-connected devices that watch over a site can be quietly turned around and made to watch it for someone else, from a distance and without anyone noticing. An electronic security system is only ever as good as its own configuration and integrity. A camera that is easy to reach, or easy to defeat, protects no one.
That is no longer a theoretical concern. In the 2025 conflict between Israel and Iran, both sides reached into surveillance cameras for reconnaissance and targeting, and artificial intelligence was used to make sense of what those cameras saw. The technology that sits on the average Australian site is not so different from the technology involved there.
Key takeaways:
- Electronic security systems are only as strong as their own configuration and integrity. A camera that is easy to reach or defeat is a liability, not a control.
- Network-connected CCTV, access control and alarms widen an organisation’s attack surface, and AI now makes finding and exploiting weak systems faster and cheaper.
- The 2025 Israel and Iran conflict showed both sides hacking cameras for reconnaissance and targeting, with AI used to map a target’s movements from camera footage.
- Device origin matters. In 2023 the Australian Government moved to remove hundreds of Chinese-made cameras from federal sites over data and foreign-interference concerns.
- Treat electronic security as part of your cyber attack surface. Independent assessment, network isolation, patching and supply-chain scrutiny are the core controls.
How a system built to protect you becomes the threat
The value of a forensic CCTV system rests entirely on its integrity. If footage can be altered, deleted or simply blinded, its value as evidence collapses at the very moment it is needed. The deeper problem is what a working but exposed system gives away. A live feed that an attacker can reach is free reconnaissance. It reveals site layouts, the rhythm of a working day, guard patrols and shift changes, which doors are used, and the faces and number plates that pass through. Access control records show who can go where. Alarm data shows when a building is occupied and how quickly anyone responds. Each device is a sensor, and a compromised sensor works for whoever controls it.
This is why electronic security cannot be treated as a set-and-forget purchase. The questions that matter are not only how many cameras and how high the resolution, but how well the system resists being reached, read or tampered with. That is the focus of a proper electronic security assessment.
What the 2025 Israel and Iran conflict revealed
The clearest recent illustration came from a war zone, but the lesson applies far beyond one. Israeli intelligence reportedly compromised street and traffic cameras inside Tehran and used AI to build a detailed picture of senior figures’ daily movements, work that contributed to the operation that killed the Iranian supreme leader.¹ ² Cameras installed by a state to watch its own population were turned into a targeting tool against it.
The traffic ran both ways. Threat actors linked to Iran compromised camera feeds inside Israel, including a street camera near a major research institute, and used them for reconnaissance and for assessing damage after missile strikes. They did so by exploiting known, unpatched vulnerabilities in widely deployed camera brands.³ The same pattern had already appeared in Ukraine, where compromised cameras were used to monitor troop movements and infrastructure, and authorities removed devices found to be working for the other side.⁴
The point for an ordinary organisation is not the missiles. It is that an internet-exposed camera is an intelligence source, and that AI has made it practical to sift hours of footage that no human would ever sit and watch.¹
How AI changes the equation
Attacks on electronic security are not new. What AI changes is the cost and the scale. It lowers the effort needed to find weak devices, to understand what their footage shows, and to test controls. In practice that means three shifts:
- Finding exposed systems. Scanning the internet for cameras and panels still running default settings or known-vulnerable firmware is now fast and largely automated.
- Making sense of footage. Reading number plates, recognising faces and reconstructing routines from large volumes of video no longer requires a room full of analysts.
- Pressuring controls. Synthetic images and voices can be tested against facial or voice-based access, and weak or reused credentials can be attempted at speed.
None of this requires an organisation to be a deliberate target of a nation state. It simply means that a poorly secured system is found sooner and exploited more easily than it once was.
Why this is an Australian boardroom and procurement issue
The risk is not abstract here. In 2023, an audit identified more than 900 Chinese-made cameras and related devices across roughly 250 Australian Government buildings, and the government moved to remove them, with Defence and Foreign Affairs acting first. The concern raised was not only the chance of a single faulty device, but where the data collected by these systems could ultimately flow.⁵
That reframes electronic security as a procurement and governance question, not just a technical one. Who made the device, where its data goes, whether it can be updated and trusted, and who ultimately owns or controls the manufacturer all now sit alongside price and image quality. For entities captured by the Security of Critical Infrastructure Act, cameras and access control that protect critical components fall squarely within the physical and supply-chain hazards a critical infrastructure risk management program is required to address.
How to protect your electronic security systems
Securing these systems is mostly a matter of treating them with the same discipline applied to any other connected technology. The core controls are well understood:
- Put them on the asset register. CCTV, access control and alarms belong inside the organisation’s risk and cyber program, not in a blind spot owned by facilities.
- Remove direct internet exposure. Devices should not be reachable from the public internet. Place them on segmented networks with controlled, monitored remote access.
- Patch and retire. Apply firmware updates promptly, and replace devices the vendor no longer supports or that carry known unpatched flaws.
- Use strong, unique credentials. Change default passwords, enforce multi-factor authentication on management interfaces, restrict administrator access and log it.
- Scrutinise the supply chain. Weigh device origin, data residency, update integrity and foreign ownership or control, particularly for sensitive or critical sites.
- Protect forensic integrity. Synchronise time across the system, secure recordings against tampering and deletion, and confirm retention so footage holds up when it is needed.
- Monitor and verify. Watch for unusual access to these systems, and have them independently checked against recognised standards as part of a security audit or a broader security risk assessment.
How Agilient can assist
Agilient is a vendor-neutral security and resilience consultancy. We design and verify electronic security; we do not sell the hardware, so the advice is independent of any manufacturer.
Our work in this area includes electronic security and CCTV and access control assessments that test configuration, exposure and integrity rather than coverage alone, security risk assessments that treat these systems as part of the attack surface, supply-chain and foreign-ownership considerations for sensitive sites, and alignment with the Protective Security Policy Framework and the SOCI Act for government and critical infrastructure clients.
Is your surveillance system protecting you, or quietly exposing you?
Request an electronic security and CCTV assessment.
Book a short briefing on securing your physical security systems.
Electronic Security FAQs
Q: Can a CCTV system really be used against the organisation that owns it?
A: Yes. A camera an attacker can reach becomes a live reconnaissance feed, revealing site layouts, routines and access points. Securing the system is what keeps it working for you rather than for someone else.
Q: What does AI add to the threat?
A: AI makes it cheap to find weakly secured devices at scale and to sift large volumes of footage for faces, number plates and patterns that a person would never have the time to review.
Q: Why did Australia remove Chinese-made cameras from government sites?
A: A 2023 audit found hundreds of Hikvision and Dahua devices across federal buildings, and the government acted over concerns about where the data could flow and the risk of foreign interference.
Q: Are our cameras a concern under the SOCI Act?
A: If a compromise of the electronic security protecting a critical component could create a material risk, it should be managed within your CIRMP across the physical and supply-chain hazards.
Q: What is the single most important step?
A: Stop treating these systems as set-and-forget facilities equipment. Put them on the asset register, bring them inside the cyber program, and have them independently assessed.
References
- Associated Press, Iran built a vast camera network to control dissent; Israel used it to track targets, apnews.com
- Financial Times, Israel hacked Tehran traffic cameras and used AI to track senior Iranian figures, ft.com
- Check Point Research, Interplay between Iranian targeting of IP cameras and physical warfare in the Middle East, research.checkpoint.com
- The Record (Recorded Future News), Israeli officials say Iran is exploiting security cameras to guide missile strikes, therecord.media
- The Register, Australian government removes Chinese-made surveillance cameras after audit, February 2023.
- Australian Signals Directorate, Australian Cyber Security Centre, Internet of Things devices.
