News: 0178000651

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

40,000 IoT Cameras Worldwide Stream Secrets To Anyone With a Browser

(Wednesday June 11, 2025 @03:00AM (BeauHD) from the would-you-look-at-that dept.)


Connor Jones reports via The Register:

> Security researchers [1]managed to access the live feeds of 40,000 internet-connected cameras worldwide and they may have only scratched the surface of what's possible. Supporting the bulletin issued by the Department of Homeland Security (DHS) earlier this year, which warned of exposed cameras potentially being used in Chinese espionage campaigns, the team at Bitsight was able to tap into feeds of sensitive locations. The US was the most affected region, with around 14,000 of the total feeds streaming from the country, allowing access to the inside of datacenters, healthcare facilities, factories, and more. Bitsight said these feeds could potentially be used for espionage, mapping blind spots, and gleaning trade secrets, among other things.

>

> Aside from the potential national security implications, cameras were also accessed in hotels, gyms, construction sites, retail premises, and residential areas, which the researchers said could prove useful for petty criminals. Monitoring the typical patterns of activity in retail stores, for example, could inform robberies, while monitoring residences could be used for similar purposes, especially considering the privacy implications.

"It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible," said Bitsight in [2]a report . "Some don't even require sophisticated hacking techniques or special tools to access their live footage in unintended ways. In many cases, all it takes is opening a web browser and navigating to the exposed camera's interface."

HTTP-based cameras accounted for 78.5 percent of the total 40,000 sample, while RTSP feeds were comparatively less open, accounting for only 21.5 percent.

To protect yourself or your company, Bitsight says you should secure your surveillance cameras by changing default passwords, disabling unnecessary remote access, updating firmware, and restricting access with VPNs or firewalls. Regularly monitoring for unusual activity also helps to prevent your footage from being exposed online.



[1] https://www.theregister.com/2025/06/10/40000_iot_cameras_exposed/

[2] https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-security-cameras



Re: (Score:1)

by Tablizer ( 95088 )

It says the bulletin is "non-public". I suppose that means they'll have to kill us if they told us? Maybe they are afraid the camera company(s) have dirt videos on them? Epstein Island 2.0?

Re: (Score:2)

by test321 ( 8891681 )

I assume anything consumer-grade, and anything cheap, isn't secure. I would only consider IP cameras supported by OpenIPC and overwrite the firmware.

its not a secret (Score:4, Informative)

by Vomitgod ( 6659552 )

[1]https://www.shodan.io/ [shodan.io]

has been available for years.....

[1] https://www.shodan.io/

Re: (Score:3)

by Hadlock ( 143607 )

One of our engineers did this as a side project back in 2015 in an afternoon, setup a web scraper on aws and the next day we could visit all these things. I'm pretty sure the company did a new article on this... ten years ago.

default logins (Score:1)

by dicobalt ( 1536225 )

just say no to their existence

When they hack all the cameras in the world- (Score:2)

by locater16 ( 2326718 )

-in that stupid thriller and you were like "no way, security doesn't work like that!" but then it turns out the real world is as stupid as that show/movie is.

Re: When they hack all the cameras in the world- (Score:2)

by TJHook3r ( 4699685 )

Accountant 2. I don't mean to drop spoilers but I've just watched the film and IT folks will love it!

the cameras serve up a website (Score:2)

by ZipNada ( 10152669 )

I wanted to replace an obsolete camera surveillance system a few months back with better cameras and a more capable NVR server so I learned what I could about the tech. You can buy a good POE camera for under $60. Hook several to a POE switch attached to your local network (which damn well better be behind your router firewall) and you can get to the feeds and record them with some open source software running on a cheap linux micro-pc; [1]https://docs.shinobi.video/ [docs.shinobi.video]

I tried several camera brands. Hikvision, Re

[1] https://docs.shinobi.video/

Re: (Score:2)

by war4peace ( 1628283 )

I think most of those open cameras are open to the Internet because their owners intentionally opened ports in their routers.

Re: the cameras serve up a website (Score:1)

by Ilove_Noname ( 8919879 )

No, sadly UPnP has been a default on most personal routers and ISP provided routers for a long time. So the user does not need tonopen any ports, the device can do so via UPnP.

The 2012 Carna Botnet used 420,000 nodes (Score:2)

by laughingskeptic ( 1004414 )

Surprised the number isn't larger. In 2012 the Carna Botnet used 420,000 nodes to perform the "Internet Census of 2012" and most of those nodes were cameras.

The return of Google Hacking (Score:2)

by Mirnotoriety ( 10462951 )

[1]Google Hacking to Find Unsecured Web Cams [hackers-arise.com]

[1] https://hackers-arise.com/open-source-intelligenceosint-part-4-google-hacking-to-find-unsecured-web-cams/

Yahoo (Score:2)

by TJHook3r ( 4699685 )

Back in the day, Yahoo's search engine used to work with categories, one of which was devices connected to the Internet. Used to be great fun logging into a random California broadwalk webcam to see some sunshine in glorious 1 FPS detail!

As part of the conversion, computer specialists rewrote 1,500 programs;
a process that traditionally requires some debugging.
-- USA Today, referring to the Internal Revenue Service
conversion to a new computer system.