Ukraine’s intelligence agency this week asked civilians to take down any outdoor webcams that record or livestream scenes from Ukraine, warning that Russia was exploiting the cameras to help guide its missile attacks in real time.
The Ukrainian intelligence agency, known as the S.B.U., said it was primarily concerned with “automatic video recording around residential and social buildings, road and transport, industrial and commercial facilities.”
Cybersecurity experts have warned for years that webcams, including security cameras for homes and businesses, are often vulnerable to hacking. Access to such footage, whether it was hacked or on a public livestream, can help Moscow pinpoint targets, the S.B.U. has said.
Ukraine largely outlawed filming and distributing footage of its armed forces shortly after Russia’s invasion last year, citing concerns about revealing military information, including troop positions.
It is not clear what prompted the S.B.U.’s public warning about street webcams more than a year later, but its request for civilians to take them down comes as the Ukrainian capital has faced relentless missile attacks in recent weeks that have forced its air defense systems into overdrive.
The morning after one of the largest aerial assaults, the S.B.U. detained six Kyiv residents who had shared footage showing Russian missiles being intercepted. U.S. officials said the May 16 assault damaged the highly advanced American-made Patriot air defense system.
The footage could have revealed the locations of Ukraine’s air defense systems, the S.B.U. said, adding that “in a matter of minutes, these videos were picked up by numerous Telegram channels and Russian propaganda internet communities,” including those controlled by Russian intelligence.
Similar footage was also captured by the webcams of “commercial entities” in the area and posted to YouTube by other users, the S.B.U. added, saying it had blocked some of those cameras from operating.
The IT Army of Ukraine, a pro-Kyiv group of hackers, subsequently launched a “cam bounty,” asking people to report vulnerable webcams around the country and promising to block them. The group said it received over 300 messages about such cameras in two days.
The new request from the S.B.U. was “absolutely warranted,” said Robert Lipovsky, a principal threat intelligence researcher at ESET, a cybersecurity firm that has helped Ukraine analyze Russian cyberattacks. Many internet-connected devices, such as smart home hubs, lack sufficient security protections, ESET has found, but webcams can be particularly exploitable. Cautions about the security and privacy risks they pose would be appropriate even during peacetime, Mr. Lipovsky said.
The cybersecurity director of the United States’ National Security Agency, Rob Joyce, warned in April that Russian hackers were tapping coffee shop security cameras and other public-facing webcams in Ukraine to gather intelligence on nearby aid convoys.
Monitoring such cameras doesn’t necessarily even require hacking. Many websites make collections of unsecured video feeds from around the world easily accessible, and platforms like YouTube often host livestreams of cityscapes.
Live video streams did provide some strategic value to Ukraine toward the start of the war — webcams broadcasting scenes from Kyiv’s Independence Square and young adults sharing daily life under invasion on TikTok Live played a novel role in drawing the world’s attention to Russia’s actions.
Cameras around the country have also documented atrocities committed by Russian forces, and the Ukrainian government has developed digital tools to allow civilians to easily record and submit evidence of war crimes. A New York Times investigation that identified the Russian military unit behind a massacre in Bucha relied in part on footage from security cameras along Yablunska Street, the quiet suburban road where the bodies of dozens of civilians were found.
Still, military doctrine almost always drives governments to try to control what information is recorded and shared during wartime, said Stéphane Duguin, the CEO of the CyberPeace Institute, which tracks cybersecurity threats during the war.
“If it’s hyper-connected,” he added, “it’s creating a risk.”