Your IP Cameras Are Being Targeted by Botnets. Here Is What We Observed.

IP cameras are among the most common connected devices in senior living communities. They monitor entrances, common areas, parking lots, memory care wings, and medication rooms. They are also one of the most targeted devices on the internet. The Mirai botnet family alone has spawned over 116 distinct variants from more than 21,000 malware samples, with compromised cameras and routers making up the majority of infected devices. In February 2026, a Mirai-based botnet called Aisuru generated a record-breaking 31.4 Tbps distributed denial-of-service attack using an estimated 300,000 compromised IoT devices.

In late March 2026, our threat monitoring infrastructure captured an automated attack campaign targeting IP cameras and IoT (Internet of Things) surveillance devices using a factory-default password specific to a commercial camera product line. The attackers operated from Google Cloud Platform infrastructure, used four different download methods to maximize infection probability, and completed the entire attack in under 35 seconds. The payload was a confirmed botnet variant detected by 37% of commercial antivirus engines. IoT camera attacks are one of several active threat vectors covered in our complete cybersecurity guide for senior living.

This is not a theoretical risk. Healthcare remains the most expensive industry for data breaches at $7.42 million per incident according to IBM's 2025 Cost of a Data Breach Report, and it takes organizations an average of 279 days to identify and contain a healthcare breach. An unsecured camera can be the entry point that starts that clock.

How Does an IP Camera Get Recruited into a Botnet?

The attack we observed is fully automated. A bot scans the internet for devices accepting remote connections, attempts known factory-default credentials, and upon successful login, downloads and executes malware through whichever protocol the device supports. The bot tries four download methods in sequence to ensure at least one works regardless of the target device's configuration. After execution, the attack self-cleans, removing all evidence from the compromised device.

Two characteristics of this campaign stand out. First, the attackers launched their scans from Google Cloud Platform addresses. Traditional security filters that block traffic from known malicious hosting providers do not flag Google Cloud. The attackers are deliberately using legitimate cloud infrastructure to bypass reputation-based defenses.

Second, the credential used in this attack is a documented factory default for a commercial IP camera brand. This is not a sophisticated zero-day exploit listed in the CISA Known Exploited Vulnerabilities Catalog. It is an attacker trying the password that came printed on the setup card. If the camera still carries its factory password, the attack succeeds.

What This Means for Senior Living Communities

A compromised camera does not display a warning message. It continues to appear functional while silently participating in botnet activity. The consequences are practical and immediate.

Resident safety monitoring becomes unreliable. A camera recruited into a botnet may drop frames, go offline during peak usage, or stop recording entirely. In memory care, a camera gap during an elopement event creates both safety risk and regulatory exposure.

Network performance degrades. A compromised camera generates outbound attack traffic that consumes bandwidth. VoIP (Voice over Internet Protocol) phones drop calls. Cloud-based EHR (Electronic Health Record) systems slow or timeout during medication pass. Family video calls stutter. Staff blame the internet when the real cause is a compromised camera on the same network.

Lateral movement to clinical systems becomes possible. On a flat network where cameras and workstations share the same subnet, a compromised camera becomes a pivot point. The attacker can scan for and reach clinical systems processing electronic Protected Health Information (ePHI), creating a reportable breach scenario under the Health Insurance Portability and Accountability Act (HIPAA). In a separate campaign from the same observation period, we captured SSH backdoor attacks that install persistent access surviving password changes. Attackers who pivot from a compromised camera to a Linux appliance could combine both techniques.

What Should Operators Verify?

1. Factory-default passwords have been changed on every camera and recording device. This is the single most effective control against the attack we observed. If the default password is gone, the automated attack fails.
2. Cameras are on a separate network segment from clinical and administrative systems. Network segmentation using VLANs (Virtual Local Area Networks) ensures a compromised camera cannot reach workstations, EHR platforms, or other systems containing ePHI.
3. Remote management protocols are disabled on camera devices. If cameras do not need SSH (Secure Shell) or Telnet access for day-to-day operation, those services should be turned off.
4. Outbound internet access from camera networks is restricted. Cameras should only communicate with their recording server and firmware update sources. Open outbound access allows compromised cameras to reach attacker infrastructure.
5. Camera firmware is current. Manufacturers patch known default credential vulnerabilities and other security flaws through firmware updates, as documented in CISA ICS advisories for IP camera systems. Many communities never update camera firmware after initial installation. Attackers are also using evasion techniques that bypass standard download monitoring to deliver payloads to unpatched devices.

The Regulatory and Financial Landscape Is Shifting

The IoT healthcare market is projected to reach $78.8 billion in 2026, growing at a 21% compound annual growth rate. More connected devices mean more attack surface. Regulators are responding. The proposed HIPAA Security Rule update, expected to be finalized in May 2026, will require covered entities to maintain a comprehensive inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with a network map showing how these assets are connected. Network segmentation is explicitly called out as a required safeguard. Camera systems that integrate with access control or resident monitoring platforms meet this definition.

The Office for Civil Rights (OCR) closed 22 HIPAA enforcement actions in 2024 and 21 in 2025, with inadequate risk analysis as the most frequently cited violation. A risk assessment that inventories workstations and servers but ignores IP cameras and IoT devices is incomplete under the current rule and will be explicitly non-compliant under the proposed update.

On the insurance side, carriers now require documented proof of MFA (Multi-Factor Authentication), EDR (Endpoint Detection and Response), encrypted backups, and incident response plans before binding a policy. IoT devices with default credentials represent an uncontrolled risk that underwriters increasingly ask about during renewal.

Senior living occupancy is approaching 90% in 2026, the highest level NIC MAP has tracked in 20 years. M&A activity is surging: 45% of respondents in a 2026 industry survey plan to acquire senior housing assets this year. Ventas alone closed $800 million in senior living acquisitions in early 2026. For operators positioning for acquisition or recapitalization, a clean cybersecurity posture, including IoT security, is a due diligence asset. A compromised camera network is a due diligence liability.

Related Reading

• Nurse Call Systems Are the Next Attack Surface. -- 39% of nurse call systems have critical unpatched vulnerabilities. Cameras are not the only IoT risk.
• When Changing the Password Is Not Enough: SSH Backdoors That Survive Credential Rotation. -- A different attack we observed that installs persistent access surviving password changes.