Dubai Police on Saturday warned residents that internet-connected cameras, baby monitors, voice assistants and smart locks running on default or weak passwords are being scanned and hijacked by cybercriminals, who can spy on private rooms, steal personal data, or run extortion schemes. The force pushed immediate password resets, automatic software updates, and switching cameras off when they aren’t needed.
The advisory, released on May 2, 2026 by the force’s Cybercrime and Electronic Crime Department, lands at a moment when the UAE Cybersecurity Council says nearly 70% of smart home devices in Emirati households are exposed because of basic configuration mistakes. It also lands two months after the U.S. Cybersecurity and Infrastructure Security Agency confirmed that a Hikvision camera flaw is being actively exploited in the wild, with the UAE among the targeted countries.
Why Default Settings Hand Hackers The Keys
The simplest attacks don’t need elite skills. Hackers run network scanners that crawl the public internet for cameras and recorders left on factory passwords like “admin/admin” or “12345,” type the credentials into the device’s web login, and they’re inside the feed. Vendor default lists are posted openly on hobbyist sites.
That is the technique Dubai Police described in plain language. Many attacks, the force said, target devices that rely on weak or default settings, which can be accessed using simple methods. Most home routers, IP cameras and DVRs ship with predictable credentials. Owners rarely change them.
The weakness isn’t the camera. It’s the 90 seconds of setup the buyer skipped.
The Numbers Behind The Council’s Smart Home Warning
The police advisory builds on UAE-specific risk data already published by the country’s Cybersecurity Council IoT security guidance. The figures are unusual for being national rather than vendor-marketed.
- 70%. Share of smart home devices in UAE residences flagged as vulnerable if basic security steps aren’t taken, per the UAE Cybersecurity Council.
- 820,000. IoT-targeted attack attempts observed worldwide every day in 2026, according to industry telemetry.
- 1 in 3. Data breaches that now involve a connected device somewhere in the chain.
- 38%. Smart home IoT devices that researchers say have been compromised at least once during their lifetime.
Six Steps Dubai Police Want Done This Weekend
The advisory translates into a short, do-this-tonight checklist. None of it requires technical skill, and most of it can be finished from a phone in under twenty minutes per device.
- Replace the factory password the moment a device is plugged in. Use at least 12 characters mixing letters, numbers, and symbols.
- Turn on automatic firmware updates. Most camera vendors push patches monthly.
- Switch off indoor cameras when family members are home, especially in bedrooms, nurseries and bathrooms.
- Don’t share Wi-Fi passwords with delivery riders, contractors or guests on the main network. Set up a guest Wi-Fi instead.
- Refuse to click links sent over WhatsApp, SMS or email asking for camera-app credentials, even if the sender’s name looks familiar.
- Avoid camera apps and add-ons downloaded from outside the App Store or Google Play. Side-loaded APKs are the most common malware vector.
“Awareness remains the first line of defense against cybercrime,” Dubai Police said in the same statement, while reminding residents that personal data and login credentials should never be shared with unverified contacts.
What A Strong Password Actually Looks Like In 2026
Password rules have moved on from the famous “P@ssw0rd1” formula. Modern offline-cracking rigs blow through eight-character mixed strings in minutes. The benchmark is length plus randomness, not clever substitutions.
| Password Style | Example | Estimated Crack Time, 2026 Hardware |
|---|---|---|
| Default factory | admin / 12345 | Less than 1 second |
| Eight-character mixed | Camera1! | Under 5 minutes |
| Twelve-character random | 9k$Lm@2qPx7t | Around 200 years |
| Four-word passphrase | orbit-falcon-mango-keel | Around 7,000 years |
For households running a router plus several cameras, a password manager removes the memorization problem. Two-factor authentication on the camera app, where the manufacturer offers it, blocks an attacker even if the password leaks.
The UAE’s National Policy for IoT Security sits behind these recommendations, encouraging device-level controls and segmented home networks rather than a single perimeter password.
The 2026 Camera Attacks That Reached The Gulf
The Dubai Police warning is not abstract. UAE-resident cameras have been pulled into live botnet activity multiple times this year, mostly through unpatched flaws in the two manufacturers that dominate budget IP-camera shelves: Hikvision and Dahua.
- March 5, 2026. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2017-7921 to its Known Exploited Vulnerabilities catalog, after confirming attackers were actively breaking into Hikvision cameras through a nine-year-old authentication bypass.
- March 2026. Researchers logged hundreds of hacking attempts by Iranian-linked threat actors against Hikvision and Dahua IP cameras across Israel, Qatar, Bahrain, Kuwait, the UAE, Cyprus and Lebanon.
- March 2026. The FBI, BKA in Germany and the RCMP in Canada took down four IoT botnets that had infected more than three million devices, including cameras and home routers.
- April 2026. Botnet trackers documented a fresh Mirai variant, profiled by FortiGuard Labs Moobot research, scanning the same Hikvision and Dahua flaws and conscripting compromised cameras into DDoS networks.
A villa in Al Barsha and a flat in JLT look identical to the scanner. Hackers don’t pick a household. They scan blocks of IP addresses, find every camera answering on its default port, and break in wherever the password and firmware are weak.
“While smart devices offer convenience, their safe use depends on strong digital awareness and vigilance,” Dubai Police said in its May 2 advisory.
How To Report A Hacked Camera In Dubai
Residents who suspect a device has been compromised, see strange motion-tracking on a feed, or receive an extortion message tied to home footage, can file a report with the force directly through the Dubai Police eCrimeHub portal. Reports can be filed anonymously.
Non-emergency cybercrime queries route through the 901 hotline. Active home intrusions, threats to safety, or live extortion calls go through the 999 emergency line. The UAE federal cybercrime reporting service provides parallel routes for residents in other emirates, including Sharjah and Abu Dhabi.
Before reporting, unplug the camera from power and from Wi-Fi. That cuts the attacker’s live access and preserves the device for any forensic check the eCrime team may want to run.
Frequently Asked Questions
How can I tell if my home camera has been hacked?
Watch for the lens panning when nobody triggered it, an LED indicator that lights up while you aren’t using the app, unfamiliar logins in the camera-app activity log, and unexpected data spikes on your router. Two-factor login alerts you didn’t request are also a red flag. If any appear, unplug the camera, change the password from a different device, and report through the eCrimeHub portal.
Are baby monitors covered by the Dubai Police warning?
Yes. The UAE Cybersecurity Council has specifically flagged baby monitors as one of the most exploited categories because they ship with weak default credentials and are usually placed in private rooms. The same six-step routine applies: change the password, enable updates, separate the network, and switch the device off when not in use.
Does the Dubai Police advisory ban Hikvision or Dahua cameras?
No. Neither Dubai Police nor the UAE Cybersecurity Council has banned any specific brand. The warning is about configuration, not procurement. A Hikvision or Dahua camera with current firmware, a 12-character password and 2FA enabled is in the safe configuration; a premium-brand camera left on factory defaults is not.
What number do I call to report a cybercrime in Dubai?
Call 901 for non-emergency cybercrime reports and inquiries to Dubai Police. Use 999 only for active emergencies, including live extortion calls or home intrusions. The eCrimeHub portal at ecrimehub.gov.ae accepts written reports, including anonymous submissions, around the clock.
Is it legal in the UAE to record visitors with a doorbell camera?
Outdoor doorbell cameras filming a public corridor or street view are generally permitted, but recording audio of conversations, pointing a camera into a neighbor’s window, or capturing footage in a shared building common area without consent can fall under UAE privacy laws, including Federal Decree-Law No. 45 of 2021 on personal data protection. When in doubt, ask building management before installing.
Should I use the same Wi-Fi for smart cameras and a work laptop?
No. The UAE Cybersecurity Council recommends running smart devices on a separate guest network, isolated from laptops and phones used for banking or work. If a camera is infected, network segmentation stops the malware from reaching sensitive devices. Most modern routers can create a second SSID in two clicks.
The advisory will be repeated. Dubai Police has run quarterly awareness pushes since 2023, and the cadence is tightening as more apartments come online with packaged smart-home kits. The fix has not changed in a decade: a long password, current firmware, and the camera switched off when nobody needs to be watching the watcher.
Leave a Comment