You don’t get to pick the locations but as Tom Spring details in: Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras, not only can you take over up to 800,000 existing CCTV cameras with the bugs discussed, all those cameras will require a manual upgrade.
Hard to imagine a greater deterrent to upgrading than requiring manual upgrading of each and every camera.
From the post:
…
The first vulnerability (CVE-2018-1149) is the zero-day. Attacker can sniff out affected gear using a tool such as Shodan. Next, the attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI), which acts as the gateway between a remote user and the web server. According to researchers, the attack involves delivering a cookie file too large for the CGI handle. The CGI then doesn’t validate user’s input properly, allowing them to access the web server portion of the camera. “[A] malicious attackers can trigger stack overflow in session management routines in order to execute arbitrary code,” Tenable wrote.The second bug (CVE-2018-1150) takes advantage of a backdoor functionality in the NUUO NVRMini2 web server. “[The] back door PHP code (when enabled) allows unauthenticated attacker to change a password for any registered user except administrator of the system,” researchers said.
…
Which CCTV surveillance camera networks do you have control of? (Rhetorical question. Don’t answer! Bad OpSec.)