Arthur T Knackerbracket has processed the following story:
14,000 vulnerable feeds found in the U.S.
A major privacy concern involving more than 40,000 security cameras worldwide has been revealed by Cybersecurity firm Bitsight. According to the company's TRACE research division, these cameras are live-streaming video feeds that are fully exposed to the internet — meaning that one can gain access without needing any sort of authentication, encryption, or even a basic password. In most cases, a person can access real-time footage from these exposed cameras simply by knowing their IP address.
Bitsight initially flagged the issue back in 2023, but recent research suggests that the situation “hasn’t gotten any better.” According to the latest research, these vulnerable cameras are not limited to one region or industry. The United States has close to 14,000 cameras that are potentially exposed, with states like California, Texas, Georgia, and New York having the highest numbers. Next on the list is Japan, with 7,000 exposed cameras, followed by Austria, Czechia, and South Korea, each of which have close to 2,000 vulnerable devices.
It is true that not every camera hooked up to the internet is a cause for concern, and some livestreams are set up intentionally to showcase scenes, like a beach or a birdhouse, for public viewing. However, some of these vulnerable cameras have been found in more private environments — including residential setups monitoring front doors, backyards, and even living rooms.
Cameras in office spaces, factories, as well as public transportation systems were also found. Bitsight researchers were able to observe sensitive spaces, monitor foot traffic, and, in some cases, even see details written on whiteboards — all in real time. The majority of the exposed devices are said to be using HTTP, while the rest stream through RTSP (Real-Time Streaming Protocol), which is a common protocol for controlling and managing streaming media over IP networks.
In addition to raising privacy and surveillance concerns, these exposed devices pose serious security risks. Information collected by Bitsight’s Cyber Threat Intelligence team suggests that users are openly discussing the feeds on dark web forums, where users are sharing tools and techniques to gain unauthorized access, and even selling access, to unprotected video streams.
Users and organizations are advised to double-check on how their cameras are configured: Disable remote access if not in use, update to the latest firmware, and make sure the device is protected behind a firewall or connected to a secure network. A simple way to check whether your camera is exposed or not is by accessing it from outside your home network. If you are able to view the camera feed without logging into a secure app or using a VPN (Virtual Private Network), it’s likely open to anyone on the internet. Additionally, one should replace any default usernames and passwords as many camera devices ship with a default set of credentials that are easy to crack.
Related Stories
Standards nerd and technology enthusiast, Terence Eden, has analyzed the Brother printers' default password scandal in light of the UK computer security legislation.
So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.
The UK law in question is The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. Brother might also have crossed the line in California which had already outlawed default passwords from 2020 onward.
Previously:
(2025) Massive Privacy Concern: Over 40,000 Security Cameras Are Streaming Unsecured Footage Worldwide
(2024) Secure Boot is Completely Broken on 200+ Models From 5 Big Device Makers
(2022) An Update to Raspberry Pi OS Bullseye
(2018) Weak Passwords to be Banned in California
(Score: 3, Informative) by JoeMerchant on Monday June 16 2025, @02:15AM (4 children)
... they want their UPnP back ...
To say it more clearly: I installed a TrendNet IP camera about 10 years ago... about 9 years ago I discovered that it conspired with my Netgear router to automatically expose its feed to the internet via UPnP, silently, by default configuration of both devices.
It's a thing worth checking on your home network, particularly if you care if anyone sees your IP camera feed, or uses your bandwidth to do so. I discovered my issue because I found that several IP addresses from around the world were actively viewing my feed. That faded away a few months after I shut it down.
🌻🌻🌻🌻 [google.com]
(Score: 3, Funny) by Anonymous Coward on Monday June 16 2025, @02:54AM (1 child)
Call me paranoid all you want (some friends do), but I turn off any and all such "services". First thing I do on new Windows install- turn off UPnP, SSDP, and any other such thing. Same for gateways, routers, etc.- turn off any and all automatic things.
At some point I'll usually do an nmap scan of the Internet-facing port (from a live online server) to be sure there are no ports open.
Of course that doesn't stop the router from initiating a communication with someone somewhere. You'd want to run a Wireshark on the 'net side to check that.
Then you'd need to firewall the camera system.
Camera system I installed for someone some years ago- I blocked its access to the 'net, so to view it remotely you had to remote in to an onsite computer and view the cameras. Worked perfectly.
(Score: 2) by JoeMerchant on Tuesday June 17 2025, @12:46AM
> to view it remotely you had to remote in to an onsite computer and view the cameras.
This is how my wife views a camera from her laptop: I set her up with VLC on the HTPC, she knows how to get the camera there, so instead of opening the VLC "Network Stream" that is also saved on her laptop, she opens VNC remote desktop to the HTPC and then VLC in there... it works, I don't have to tell her how to do any of it, but it does use a LOT more CPU than just viewing directly.
🌻🌻🌻🌻 [google.com]
(Score: 1, Interesting) by Anonymous Coward on Monday June 16 2025, @02:57AM (1 child)
Another approach is set up a honeypot system that just feeds goatse and other can't be unseen things. Sadly some of the voyeurs might like it, so maybe nevermind.
(Score: 2, Funny) by Anonymous Coward on Monday June 16 2025, @10:15AM
Monetize it! Send 'em ads!
(Score: 2) by c0lo on Monday June 16 2025, @05:33AM
Ummm... anything interesting so far?
I mean, aside for the ones with a clear for-the-public purpose [abc.net.au].
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Funny) by Snotnose on Monday June 16 2025, @12:37PM
The S in IoT stands for "Security".
Trump's Grave will be the world's most popular open air toilet.
(Score: 4, Insightful) by PiMuNu on Monday June 16 2025, @02:11PM
In Europe any organisation doing this is (probably) breaking GDPR, even if they don't know it.