A security camera that is itself a security risk — paradox, but reality. Cameras with default passwords are attacked daily, used in botnets (Mirai) or eavesdropped on. A 10-step checklist that protects your system.
Why cameras get hacked
An attacker who controls the camera gets:
- Access to your local network (springboard to PC, NAS)
- Live stream — eavesdropping on your business or home
- A botnet slave — thousands of IP cameras for DDoS attacks
- Cryptomining (camera processor)
- Extortion — locking the NVR, ransom demands
Most common error: default password admin/admin or admin/12345. Attackers scan the entire internet and try them.
Checklist — 10 steps
1. Change the default password IMMEDIATELY after first start
Password must:
- Be at least 12 characters
- Mix upper and lower case letters
- Include digits
- Include special characters (!@#$%^&*)
- Not be dictionary-based (password, camera123, admin2024…)
Example of a strong password: Camera7!Pool#Dog
2. Unique password for every device
Don't reuse the same password on the camera, NVR, router and Wi-Fi. If one is broken, the attacker has the keys to everything.
3. Update firmware regularly
Vendors regularly fix security bugs. Firmware updates block known attacks. Check at least once every 3 months.
Guide: Device firmware updates.
4. Disable UPnP (Universal Plug and Play) on the router
UPnP automatically opens ports to the internet — and attackers see them. Disable it in router settings. Use P2P instead (safer, encrypted protocol).
5. Don't expose the camera directly to the internet
Port forwarding on 80/554/8000 = invitation to attack. Use:
- ✅ P2P (via vendor cloud)
- ✅ VPN (WireGuard, OpenVPN) — tunnel into LAN
- ❌ Port forwarding (without VPN)
6. Separate VLAN/network for cameras
Advanced: isolate cameras into a separate VLAN on the switch. Even if a camera is compromised, the attacker can't see the rest of your network (PC, NAS, phone).
For residential: use the router's guest network for cameras.
7. Disable unused services
On the camera or NVR disable services you don't use:
- FTP, Telnet — vulnerable protocols
- SNMP — unless monitoring
- UPnP
- ONVIF — if NVR is the same brand
- SSH / external web port
8. Audit account list
Delete all inactive accounts in the NVR. Keep only those needed, each with a personal password.
9. Set lockout after failed attempts
In the NVR menu: Security → Lockout. After 5 failed login attempts lock the account for 30 minutes. Slows brute-force attacks.
10. Monitor access
Check the access log in the NVR: System → Log. If you see logins from strange IPs (China, Russia, Brazil) — change passwords and update firmware immediately.
Advanced measures
Two-factor authentication (2FA)
Selected NVRs and the BitVision app support 2FA via SMS or an authenticator app. Activate in: Account → Security → 2FA.
HTTPS instead of HTTP
Make sure the NVR's web interface uses HTTPS (encrypted). In the menu Network → HTTPS → enable. Without HTTPS the password is sent in plain text.
Regular configuration backup
After setting up the NVR, export the configuration to a file. If anything fails later, you can restore quickly.
What to do if the camera is already compromised
- Physically disconnect the camera/NVR from the network
- Perform a factory reset (hardware button)
- Install the latest firmware (from the vendor's website)
- Go through the entire checklist above before connecting back
- Check other devices on the network too (they may be compromised)
Summary
Camera-system security is a 30-minute one-off task at install time. If you skip it, you risk being abused before you notice. The 10 steps above solve 95% of threats.