Over 40,000 Internet-connected cameras stream live footage with NO protection

Cybersecurity firm Bitsight is reporting that they have detected more than 40,000 internet-connected security cameras that are openly streaming live footage without any authentication or protection measures. 

The research reveals that the surveillance devices originally intended for security purposes have become unintended public windows into sensitive spaces across homes, offices, factories, medical facilities, and even hospital patient rooms.

The exposed cameras operate over both HTTP and RTSP (Real-Time Streaming Protocol) technologies, and most of them allow streaming  just by opening the IP address with a web browser. Global distribution of the exposed feeds is:

• United States ~ 14,000 exposed cameras,
• Japan ~ 2,000 exposed cameras
• Austria ~ 2,000 exposed cameras
• Czech Republic ~ 2,000 exposed cameras
• South Korea ~ 2,000 exposed cameras 

The exposed cameras cover residential cameras, technology sector (28.4% of exposed devices), media/entertainment (19.6%), utilities (11.9%), business services (10.7%), and education (10.6%). Manufacturing, transportation, and healthcare sectors are also significantly affected, with cameras found monitoring factory floors, public transportation vehicles, and patient care areas 

The unprotected streams show:

• Critical Infrastructure: Cameras monitoring datacenters and IT server rooms, allowing attackers to map blind spots and plan unauthorized physical access, or even look at passwords being typed on the consoles
• Healthcare Facilities: Cameras in hospitals and clinics monitoring patients, creating severe privacy violations in highly sensitive medical environments
• Manufacturing Operations: Factory floor surveillance revealing proprietary manufacturing processes to competitors
• Retail Environments: Cameras in luxury car dealerships displaying high-value vehicle collections, smartphone stores, and jewelry showcases
• Transportation Systems: Public transportation cameras installed inside trams and transit vehicles, compromising passenger privacy
• Corporate Spaces: Office cameras capturing confidential information visible on whiteboards, computer screens and again - passwords being typed.

Bitsight's research methodology involved scanning for cameras using HTTP and RTSP technologies, with HTTP-based cameras being fingerprinted through HTML favicon hashes, HTTP headers, and HTML titles. Many exposed cameras were discovered through known endpoints like /out.jpg or common RTSP paths such as /live.sdp and /video.h264, requiring no authentication.

The cybersecurity firm found evidence of active threat actor interest, with dark web forums containing discussions about exposed cameras, including sharing of IP addresses with descriptions of available feeds such as bedrooms and workshops.

Beyond privacy violations, compromised cameras can be incorporated into botnets for large-scale cyberattacks, similar to the infamous Mirai botnet, or used as pivot points for network infiltration. The US Department of Homeland Security has issued warnings about exposed cameras potentially being used in Chinese espionage campaigns.

The issue stems from the explosion of IoT devices flooding the market with easy-to-use, plug-and-play equipment that prioritizes convenience over security. Many of these devices are shipped with default credentials, weak authentication mechanisms, or configurations that enable remote access by default. Users often skip essential security configurations during setup, including enabling user authentication or changing default credentials.

Organizations and individuals are advised to immediately audit their camera configurations, disable unnecessary remote access features, change default credentials, and implement proper network segmentation to prevent these devices from becoming security liabilities.