How Israel Hacked Iran's Traffic Cams

Financial Times reported on Monday that Israel's Unit 8200 spent years hacking nearly all traffic cameras in Tehran to track and kill Iran’s supreme leader Khamenei in an airstrike.

"We knew Tehran like we know Jerusalem" an Israeli intelligence official told the Financial Times.

Israeli data analysts used footage from hacked traffic cameras to generate movement profiles of high-ranking Iranian officials.
They used AI tools to process large data volumes and pinpoint meeting locations.

As with any military operation, almost no technical details are known about what really happened.
I will try to outline a few scenarios based on my experience in cybersecurity.

#1 Secrets and Lies
A cyber operation, as reported by Financial Times, never took place.
Because I don't believe everything I read.
And certainly not when information comes from an opposing party.
That's just not reasonable.

#2 Agents and Spies
No cyber operation at all. Pure physical operation.
Tehran and Hezbollah have been infiltrated by human sources recruited by CIA and Mossad.
They provided human sources to confirm Khamenei's exact location.
Iran's top nuclear scientists, military leaders and other key individuals were killed in Tehran.

#3 Insider Knowledge
Israeli and American spies had access to all video recordings.
They transmitted everything to Tel Aviv without leaving any traces.

#4 Backdoored Cams
CIA and Mossad deployed vulnerable traffic cameras and exploited them afterwards.
Cams had an integrated cellular modem that were streaming everything directly to Tel Aviv.

#5 Exposed Cams
All traffic cams were directly exposed to the public Internet.
Weak authentication or no authentication at all for remote management.
Less likely. It should not happen to a nation state.

#6 Zero- and N-Days
Unit 8200 compromized every single traffic camera by exploiting 0- and N-day vulnerabilities.
Less likely. Hard to exfiltrate data even with full access.

#7 Connected Network
Cams are usually connected to a network via a network interface.
Images are streamed to a central server which may have been compromized.
No traffic cam was exploited.
But the network to which they were connected.
Stuxnet has shown that Iranians are using sanctioned Microsoft and Siemens products.

#8 Intercepted Traffic
Neither traffic cams nor servers were hacked.
They gained control over a workstation and intercepted data traffic between cams and servers.

#9 All A Dream
Everything I tried to explain was wrong or only half true.
We will probably never know.
But what we do know for sure is that the Cyber Resilience Act makes network-capable cameras much more secure.