The Internet of Things (IoT) enables us to sense and share information of real-world events, including potentially privacy-sensitive information about the users' choices and behaviors. In this paper we focus on the security and privacy problems of Internet-connected cameras. We study two cameras: a consumer camera marketed as a baby monitor, and a surveillance camera marketed for enterprise (physical) security. We show how a generic algorithm can be used to infer actions recorded by the camera, even if the traffic is encrypted, and we also show how both cameras have security vulnerabilities that allow a remote attacker to gain access to the video frames captured by the camera. We also discuss new findings such as the fact that one camera has multiple vendors and domains that connect to a single cloud system supported by a single company, which is a trend we have previously seen in other IoT devices with one company designing the core-functionality of the device and then multiple vendors selling the device under their own brand name and developing different mobile applications for them.