Mass hacking of IP cameras leave Koreans feeling vulnerable in homes, businesses

 

When Kim Ha-eun, a mother of two, installed internet protocol (IP) cameras in her home after giving birth for the first time five years ago, she hoped the devices would ease the need for her and her husband to remain physically present around the clock to watch over their children.

  “Being able to see what was happening inside the house in real time was important for us if we had to step outside, even for something as simple as a grocery run,” she said.

  But news that hackers recently breached approximately 120,000 IP cameras across Korea — often found inside private homes like Kim’s — has left her and many others seething, prompting the government to take action.

  As shocking the scale of the intrusions was the alleged motive behind them. Videos captured by the hacked cameras were allegedly sold to an overseas pornography website, exposing some of the most intimate moments of unsuspecting victims to anonymous viewers abroad.

 

Only 1,193 videos from the hacked cameras have been uncovered so far on overseas websites, raising concerns that many more remain undiscovered.

  In response, an interagency task force comprising officials from the Ministry of Science and ICT, the Personal Information Protection Commission and the National Police Agency announced on Dec. 7 that it would pursue a multilayered reform package. The measures aim to shift responsibility beyond individuals and camera manufacturers to include installation companies and telecommunications providers.

  Yet as policymakers scramble to overhaul regulations and reinforce technical safeguards, interviews with everyday users of IP cameras reveal a gap between how these devices are used and understood and the level of risk they actually pose.

    Weaponizing tools of reassurance

  For Kim, the five IP cameras in her home were initially meant to provide peace of mind. The cameras — one in each child’s bedroom, as well as units in the living room and kitchen — run continuously, providing a live feed accessible through a mobile app.

  Privacy and data security, however, were not central considerations in her decision. Kim’s husband installed the system himself using online instructions, setting a password for the cameras that the couple has not changed since. Until learning of the hacking scandal during the interview, Kim had not even seen the news.

  Her experience reflects a broader structural problem.

  According to Kim Ji-yoon, an assistant professor of computer science and engineering at Gyeongsang National University, Korea maintains “relatively strict regulations,” such as the Personal Information Protection Act, governing footage recorded by closed-circuit television (CCTV) systems. However, he said, “there are limitations in applying these regulations to devices such as home-use or privately installed IP cameras.” As a result, devices designed for intimate domestic spaces often fall through regulatory cracks.

  Authorities later confirmed that many hacked cameras were protected by simple or widely known passwords that were rarely changed. A government survey found that only 59 percent of installation companies consistently carried out mandatory security measures, such as changing default password settings.

  Upon learning of the incident, Kim Ha-eun said she would change her password immediately. But her frustration was directed less at herself than at the companies behind the technology.

  “These camera manufacturers need to do a better job,” she said. “Their devices are basically broadcasting our private lives if they’re not secured.”

 

Illusion of low risk

  Marshall Brown, a 41-year-old American working at an intergovernmental organization in Seoul, installed a single IP camera in his living room before traveling abroad in 2022, mainly to check on his cats. The camera featured a remote panning function that offered a wide field of view.

  Like Kim, Brown never changed the camera’s password. He said the threat of IP camera hacking felt “abstract and distant.”

  He routinely unplugged the camera after returning from trips — not out of privacy concerns, but because the need to monitor his cats remotely disappeared. Eventually, he removed the device altogether when friends began staying long-term in his apartment during his absences.

  Experts say this sense of detachment is common. Prof. Kim noted that while surveillance equipment used in public spaces is increasingly subject to strict security certification, IP devices “are somewhat excluded from this trend.”

  The diversity of manufacturers and products, he added, makes “consistent standards difficult to apply,” reinforcing a consumer perception that such devices carry minimal risk.

  Brown likened his reaction to the camera scandal to his response to previous large-scale data breaches in Korea, including those involving SK Telecom and Coupang.

  “I still don’t know how something like this affects me in the long run,” he said. “If fear of these situations became widespread, it would feel almost dystopian.”

    Human harm

  What sets the current case apart — and prompted the government’s unusually forceful response — is the nature of the harm involved.

  Police believe one suspect hacked 63,000 IP cameras, producing 545 videos that he sold to an overseas website for 35 million won ($24,000) in cryptocurrency. Another suspect allegedly hacked 70,000 devices, creating 648 videos that he later sold to the same website for 18 million won.

  The two individuals, whom police say are not accomplices, sourced most of their footage from IP cameras installed in ordinary homes, gynecology offices, breastfeeding rooms, massage parlors, Pilates studios and waxing salons. They often accessed the same compromised devices repeatedly. The videos accounted for 62 percent of all content on the website, which includes a separate “Korean” category.

  Two additional suspects are accused of hacking 15,000 cameras and 136 devices, respectively, to collect footage for private possession.

  Unlike leaked phone numbers or delivery addresses, compromised IP camera footage can expose faces, bodies, children and private spaces. Prof. Kim emphasized that hacked cameras can reveal “an individual’s movements, daily life and relationships,” making the potential for privacy violations “extremely high.”

  Kim Ha-eun echoed that concern, saying penalties “should be really harsh,” given that a hacked camera feed “lays bare our entire daily existence.”

  Prof. Kim added that when information involving “an unspecified large number of victims is leaked and distributed,” recovery becomes exceptionally difficult. In such cases, he said, victim protection must extend beyond punishment to include deletion and blocking of content, dispute resolution, mediation and litigation.

  The government’s follow-up measures reflect that approach. High-risk businesses such as bathhouses, accommodation facilities and medical institutions have been reminded of their legal obligations, while joint inspections of hospitals and massage clinics have begun. Lawmakers are also pursuing legislation to mandate the use of security-certified IP cameras in sensitive facilities, along with design-stage requirements for complex passwords.

  Victim support measures include faster takedown of illegal videos, expanded legal and psychological assistance, and intensified investigations into the distribution of content recorded without consent.

  Yet Prof. Kim argues that regulation should go further upstream. He said it is necessary to establish “minimum security standards with enforceability” for consumer devices and to “clearly define, at an institutional level, the responsibility of device suppliers to guarantee security.”

  He also advised users to avoid installing cameras in locations that could capture “personally identifiable information, private spaces or parts of the body.”

 

Beyond passwords: Rethinking responsibility

  Much of the public discussion has focused on weak passwords. But Prof. Kim said a single failure cannot explain the mass hacking.

  “Rather than one cause,” he said, “this should be understood as multiple factors acting together,” including the use of unauthenticated devices, technical weaknesses in how footage is stored and transmitted, and lapses in security updates.

  He cautioned against framing the issue solely as user negligence, calling instead for institutional guidelines that limit IP camera use to the “minimum necessary authority, purpose and scope.”

  Brown, drawing on phishing simulations at his workplace, questioned whether frequent password changes alone offer meaningful protection.

  “The idea that changing your password all the time will protect your data is antiquated,” he said. “You also have to be aware of what you’re clicking and who you’re communicating with.”

  This view aligns with the government’s longer-term plans, which include tailored education for installation companies, businesses and digitally vulnerable populations, as well as broader public security guidelines.

    Erosion of trust

  As IP cameras become increasingly common in homes, workplaces and public facilities, the scandal has raised more profound questions about surveillance, trust and dependence on networked technologies.

  Prof. Kim warned that while AI-based video analysis offers convenience, technologies designed to “identify, track and classify” individuals risk tipping the balance too far. Through “appropriate laws, regulations and operational practices,” he said, society must renegotiate the trade-off between convenience and privacy.

  He also predicted that demand for low-cost or noncertified products would decline alongside consumer trust. At the same time, he said, the scandal could increase demand for security-certified devices, creating incentives for companies to invest more heavily in security.

  For Kim Ha-eun, the reckoning is already personal.

  “I’m thinking about getting rid of the camera system as the children grow older,” she said. “They’ll become more independent, and we won’t need to watch them as closely through cameras anymore.”

    BY MICHAEL LEE [[email protected]]