A few days ago Verkada, a cloud-based camera management company was shown to have had several thousand of its cameras or data compromised. I’m not going to rehash everything, but Tesla, police interrogation rooms, women’s prisons, hospitals, etc were shown to reporters. Here’s a link on Bloomberg that covers it pretty well.
Oh yeah, to answer the question in the headline, unless you’re keeping your IP camera data on your own network and off the cloud, internet, etc, you should probably assume there’s someone watching.
Cameras and components are made by the lowest bidder, an OEM firmware is presented to the reseller, it’s usually branded and a new logo slapped in as well as whatever cloud service they’re pushing, and bam. Done. No more updates.
In the case of the Verkada hack, assuming we’ve got the whole story, hackers managed to get root access and were able to execute code on the cameras, that or they simply found the Verkada super admin account password sitting in a text file indexed on Google, depending on which account you read.
Each one of these cameras is a little linux distro, a little computer running 24/7 just waiting to be hacked. Don’t put your trust in the lowest bidder. Also don’t trust these gateway devices that claim to monitor your systems for unusual activity. Just don’t trust anything you don’t control from beginning to end.