Thousands of Private Camera Feeds Exposed Online

A startling discovery by Bitsight’s TRACE research team reveals over 40,000 internet-connected cameras are openly broadcasting images of homes and businesses without any password protection. Many of these cameras, often with their own web servers, are directly exposed to the internet, making their feeds accessible to anyone with the correct IP address.

The United States leads with approximately 14,000 exposed cameras, concentrated in California and Texas. Japan follows with 7,000, ahead of Austria, Czechia, South Korea, Germany, Italy, Russia, and Taiwan.

This exposure poses severe privacy risks, particularly as cameras are often placed in private areas like bedrooms. Attackers could spy on individuals, extort them with compromising images, or gather surveillance data for physical intrusions. Beyond privacy, unsecured cameras can grant attackers SSH access, leading to full device control. This allows them to compromise other network devices or integrate cameras into botnets, like the infamous Mirai, for denial-of-service attacks or even ransomware deployment.

The vulnerability of internet-enabled cameras is not new. Despite a long history of compromises, including past sites streaming from 40,000 unsecured cameras, vendors often neglect basic cybersecurity hygiene to avoid "costly friction." While regulations are emerging in the US and UK, enforcement remains a challenge. Even major brands like Amazon's Ring have faced issues, including employee access to private feeds and inadequate protection against intruders. Other vendors like Wyze and Eufy have also had embarrassing security missteps.

Protect Your Camera Feeds:

To minimize risks, always use unique login credentials for your cameras and change default passwords. Restrict camera placement to non-sensitive areas. Research potential vulnerabilities of your chosen camera brand. Test remote accesswithout credentials to ensure it's not openly accessible. Finally, regularly apply security patches or enable automatic updates.