Thermal-Imaging Cameras on the Network: A New Attack Surface

I was talking to a battalion chief last month about his department's new apparatus. He was proud of the thermal imaging cameras mounted in each cab. Bullard QXTs, top of the line, with Wi-Fi streaming so command can see what the nozzle team sees in real time. He showed me the setup on his phone. Then he told me the cameras connect to the truck's onboard Wi-Fi, which is the same network the MDT uses for CAD and ePCR.

I asked him what the default password was on the cameras.

He did not know.

That is the problem.

Fire Department Thermal Imaging Camera Security Risks

Modern TICs are small computers with a thermal sensor, a processor, a radio, and a web interface. A Bullard QXT or a FLIR K-series connects to Wi-Fi for streaming video to command vehicles and for firmware updates. Some also support configuration through a vendor app.

The physical ruggedness of these devices is impressive. They are waterproof and drop-rated, built to survive a structure fire. The digital side is often wide open.

Default credentials are the most common issue, and the manuals are public. The admin passwords are documented in the first result of a quick search for "Bullard QXT default password" or "FLIR K-series admin login." If the camera is on your network and you never changed the password, anyone on that network owns the camera.

The streaming protocols matter too. Some models send thermal video over unencrypted RTSP or HTTP, which means an attacker on the same Wi-Fi network can capture the feed and see what your interior crew sees in real time. That is a tactical intelligence problem. If someone is watching your thermal feed, they know where your people are, where the hot spots are, and where you are directing resources.

I wrote about Bluetooth Pairing on the Cardiac Monitor a while back. The same principle applies here. A device that is physically hardened and digitally unhardened is not a secure device. It is a ruggedized vulnerability.

Securing IoT Devices in Fire Stations

The apparatus bay is not a garage. It is a network perimeter where industrial tools meet sensitive data. The truck's Wi-Fi network typically connects the TIC, the MDT, and the vehicle telemetry system. Sometimes it also backhauls to the station's operational network.

That architecture means a compromised TIC is a pivot point.

An attacker who gains access to the camera through default credentials or a weak Wi-Fi PSK can do several things: scan the local network for other devices, attempt lateral movement to the MDT for CAD and ePCR access, use the camera's network connection to exfiltrate data or stage a deeper attack, or brick the camera remotely as a denial of service against a life-safety tool.

The attack surface is not theoretical. There are documented cases of IoT cameras being used as entry points into corporate networks. The same techniques apply to a TIC on a fire apparatus. The difference is that the consequences include operational failure during an incident.

A few practical controls for the apparatus bay:

• Place TICs and other IoT tools on a dedicated VLAN that has no route to the MDT network or the station's administrative network.
• Use WPA3-Enterprise or at minimum WPA2 with a strong, rotated PSK for the apparatus bay Wi-Fi. Do not use the same PSK as the station guest network.
• Change default credentials on every TIC during commissioning. Document the new credentials in the asset management system, not on a sticky note in the bay.
• Disable unnecessary services on the camera. If the web interface is not needed for daily operations, turn it off. If SSH or Telnet is enabled and unused, disable it.
• Assign static IPs or DHCP reservations to each TIC so the network team can identify them in logs and monitoring.

How to Change Default Passwords on Bullard and FLIR TICs

The process varies by model, but the pattern is the same. Every TIC with network connectivity has a configuration interface, either through a web browser, a vendor application, or a direct serial connection.

For Bullard QXT and similar models, the configuration is typically accessed through the Bullard Connect app or a web interface on the camera's IP address. The default credentials are in the manual. Log in, find the administration or security section, and set a new password that meets your agency's policy. If the device supports it, enable certificate-based authentication instead of a shared password.

For FLIR K-series and other FLIR TICs, the process is similar. Access the camera's web interface through its IP address, log in with the default credentials, and change the admin password. FLIR devices often have multiple user accounts. Disable any that are not needed and set strong passwords for the ones that remain.

A few things to watch for during commissioning:

• Some devices do not enforce password complexity. You have to choose a strong password manually.
• Some devices store credentials in plaintext in configuration files. If you back up the configuration, treat the backup file as sensitive.
• Some devices have hardcoded service accounts that cannot be disabled. Know what those accounts are and monitor for their use in logs.

The commissioning process should be documented and tracked. Every new TIC should go through the same process before it is deployed to a rig. If the process is not documented, it will not happen consistently.

FLIR TIC Network Segmentation Best Practices

Segmentation is the most effective control for TIC security. The camera does not need to talk to the MDT. It does not need to talk to the station server. It needs to talk to the command vehicle's receiving device and possibly to a vendor update server over the internet.

A three-network model works well for most departments:

• Apparatus Bay IoT VLAN: TICs, vehicle telemetry, and other connected tools. No route to administrative or clinical networks. Outbound internet access restricted to vendor update servers.
• MDT and Operational VLAN: Mobile data terminals, CAD clients, ePCR devices. Strictly controlled access. No inbound connections from the IoT VLAN.
• Station Administrative VLAN: Office computers, printers, servers. Separate from both operational networks.

The IoT VLAN should have its own SSID and PSK. The MDT network should be on a different SSID with different authentication. If the truck has a cellular router with multiple SIMs or VLAN support, use it to keep the networks separate at the vehicle level.

I covered some of this thinking in Connected Vehicle Telemetry and Who Owns the Apparatus Data. The same segmentation logic applies to the TIC as a connected device on the same vehicle network.

Fire Service MDT Network Security Risks

The MDT is the most sensitive device on the apparatus network. It handles CAD data and patient information alongside dispatch communications. If an attacker reaches the MDT through a compromised TIC, they have access to that data.

The risk is not just data theft. An attacker who gains access to the MDT can manipulate dispatch information or alter patient records. Disrupting communications during an incident is also on the table. The operational impact is immediate.

A few additional controls for the MDT side:

• Treat the MDT as a high-value endpoint. Apply the same security controls you would apply to a clinical workstation.
• Use host-based firewalls on the MDT to restrict inbound connections. The MDT should not accept connections from unknown devices.
• Monitor network traffic between the IoT VLAN and the MDT VLAN. If you see traffic crossing that boundary, investigate it.
• Consider using 802.1X network access control on the apparatus bay network. This ensures that only authorized devices can connect, even if someone gains access to the Wi-Fi credentials.

Frequently Asked Questions

Why is a thermal imaging camera considered a security risk?

Modern TICs are small computers with Wi-Fi connectivity. They ship with default administrative credentials that are documented in public manuals. If they are connected to the same network as your MDTs or station computers, an attacker can use the camera as a backdoor into your operational network.

How should I segment my network to protect these devices?

Create a separate VLAN specifically for IoT tools including TICs. This VLAN should have no route to the MDT network or the station's administrative network. Use a different Wi-Fi SSID and credentials for the IoT network. This ensures that even if a camera is compromised, the attacker cannot move laterally to sensitive systems.

Do I really need to change the password on a handheld tool?

Yes, you do. Default credentials are published in the device manual, which is available online. Anyone who gains access to your Wi-Fi can use those defaults to take control of the camera. That means they can control the stream, access the configuration, and use the device to attack other systems on your network.

What happens if a TIC is compromised during an active incident?

An attacker who controls the TIC can disrupt the thermal feed or disable the camera. They can also use it to pivot to other devices on the network. If the MDT is on the same network, the attacker may gain access to CAD and ePCR data. The operational impact ranges from lost situational awareness to compromised patient data.

Should TICs be on the same network as the station computers?

TICs should be on a dedicated IoT VLAN that is isolated from the station's administrative and operational networks. The only exception is the command vehicle receiving device, which should be on the same VLAN as the TIC for streaming purposes. Putting them on the same network as station computers defeats the purpose of segmentation.

---

The battalion chief I talked to is making changes now. New VLAN, new credentials, documented commissioning process. It took one conversation and a few hours of configuration work. The cameras still stream to command, the firefighters still have the same tool, and the only difference is the network no longer has a backdoor that anyone with a manual and a Wi-Fi password can walk through.

That is the standard. Not perfect security. Just the baseline that should have been there from the start.

-- Steven