Over 40,000 Security Cameras Are Exposed Online Without Password

Security researchers have identified over 40,000 internet-connected surveillance cameras that are freely accessible online, many streaming live video with no password protection.

Despite years of warnings, including a 2023 alert by the same researchers, the latest findings confirm that the issue remains widespread and largely unresolved.

The discovery was made by BitSight, which performed comprehensive internet-wide scans targeting unsecured Real-Time Streaming Protocol (RTSP) and HTTP-based video feeds.

The research uncovered exposed cameras in nearly every corner of the globe, with the United States topping the list at approximately 14,000 vulnerable devices, followed by Japan, Austria, Czechia, and South Korea. Within the U.S., BitSight mapped the distribution of these exposed feeds across states, noting that both residential and enterprise environments are affected.

BitSight, a cybersecurity ratings firm known for tracking internet-exposed risks across enterprise infrastructures, emphasizes that these cameras were not hacked using advanced techniques. In most cases, simply navigating to an IP address via a web browser sufficed to gain access to a live stream, no passwords, no login screens, and no alert to the owners. The ease of discovery means the real number of exposed devices could be significantly higher.

The implications are far from benign. The team found streams of home entryways, children’s rooms, office spaces revealing confidential whiteboards, factory floors exposing proprietary processes, and even data center server rooms. One particularly concerning case showed a public transportation camera broadcasting passengers in real-time.

To make matters worse, dark web monitoring by BitSight’s cyber threat intelligence unit confirms that malicious actors are actively sharing techniques to locate exposed cameras and, in some instances, are selling access to specific feeds.

While some cameras, like those aimed at bird feeders or public beaches, are intentionally shared, many are broadcasting without the owner’s knowledge due to poor security defaults and lack of technical oversight.

Securing IP cameras

Home users and organizations should always change the default credentials their IP cameras came with out of the box and use something strong and unique. If remote viewing isn’t needed, consider disabling it entirely.

Enterprises should restrict camera access to internal networks using VPNs or firewall rules so that unauthorized attempts to access the feed are blocked. Finally, it is recommended to perform regular checks for firmware updates that address known vulnerabilities hackers exploit in the wild.