Arya News - Weak passwords, cheap devices, loose rules keep Korea’s IP cameras exposed.
SEOUL – Public anxiety over data breaches has long centered on banks, platforms and telecom companies. But a more intimate and unsettling threat is spreading through everyday spaces: internet-connected security cameras installed in homes, hospitals and public facilities.
Police recently arrested four suspects accused of hacking about 120,000 Internet Protocol cameras nationwide. The arrests come just a year after hundreds of private videos — filmed inside homes, karaoke rooms, Pilates studios and even maternity delivery rooms — surfaced on illegal Chinese streaming platforms.
Despite repeated crackdowns, experts warn the same vulnerabilities continue to be exploited, raising questions about the effectiveness of Korea’s regulatory and certification systems for connected devices.
IP cameras have surged in popularity because they are cheaper and easier to install than traditional closed-circuit television systems. Unlike CCTV, they connect directly to the internet, allowing users to check footage remotely via smartphones.
That convenience is also their biggest weakness.
To enable remote viewing, many IP cameras upload footage to cloud servers instead of streaming directly from the device. Those servers are often operated by overseas providers, making large-scale breaches easier — and harder for Korean authorities to oversee.
“Once a cloud server is compromised, massive amounts of footage can be exposed at once,” said Kim Yong-dae, ICT endowed chair professor at KAIST’s Graduate School of Information Security.
According to Danawa Research, nearly 80 percent of IP cameras sold in Korea are manufactured by Chinese firms, none of which have obtained Korea’s domestic internet of things security certification.
Technical sophistication is not the main barrier for attackers.
Police say IP camera hacking often relies on basic password guessing and unpatched software, rather than advanced cyber skills. Many devices lack minimum password requirements, allowing credentials like “1234” or “admin.” Some low-cost models require no password at all.
“Once a camera is hacked, it is often targeted repeatedly,” a police official said, urging users to change default passwords and update firmware regularly.
That simplicity is reflected in the profiles of the suspects arrested this year. Only one had an IT background; the others were unemployed, self-employed or ordinary office workers.
Security breaches linked to IP cameras have recurred for more than a decade. In 2021, hackers infiltrated wall-mounted home control panels in over 700 apartment complexes, leaking footage from about 400,000 households onto the dark web. More recently, bar surveillance footage involving K-pop idols circulated widely on social media after being illicitly accessed.
Some experts argue Korea’s approach relies too heavily on voluntary compliance.
In Britain, the Product Security and Telecommunications Infrastructure Act mandates baseline security for connected devices, including a ban on default passwords such as “0000.” Korea has no equivalent legal requirement.
Instead, Korea operates a voluntary IoT security certification system, launched in 2018 under the Ministry of Science and ICT and the Korea Internet & Security Agency. The system covers IP cameras and other connected devices, but adoption has been minimal.
Certification costs range from 60 million won to 200 million won ($40,600 to $135,400), and participation is optional. As a result, only 13 of about 3,000 domestic IoT manufacturers applied for certification in the first half of this year.
“The government needs to examine why certification is neither attractive nor effective,” Kim said, adding that regulators should reassess whether existing standards are sufficient to deter hacking.
Facing mounting public concern, the government is now stepping in more aggressively.
On Dec. 7, the Ministry of Science and ICT, the Personal Information Protection Commission and the National Police Agency announced plans to introduce an advanced IP camera security management framework, expanding oversight beyond manufacturing and distribution to include hacking prevention and incident response.
Facilities deemed at high risk for privacy violations — such as bathhouses, accommodation facilities and medical institutions with operating rooms — will be formally notified of their legal obligations under the Personal Information Protection Act. Authorities will also investigate companies linked to large-scale video leaks for potential violations.
Joint inspections of vulnerable sites, including hospitals and massage parlors, are set to begin this month. Separate legislation is being prepared to mandate the use of security-certified IP cameras in gyms, yoga and Pilates studios, swimming pools, hospitals and postpartum care centers.