Exposed eyes: 40,000 security cameras vulnerable to remote hacking

Over 40,000 internet-exposed security cameras worldwide are vulnerable to remote hacking, posing serious privacy and security risks.

Bitsight warns that over 40,000 security cameras worldwide are exposed to remote hacking due to unsecured HTTP or RTSP (Real-Time Streaming Protocol) access. These cameras stream live feeds openly via IP addresses, making them easy targets for spying, cyberattacks, extortion, and stalking, posing major privacy and security threats.

Identifying HTTP-based security cameras is challenging due to the wide variety of models and interfaces. Researchers analyzed popular brands to develop a fingerprinting method using favicon hashes, HTTP headers, and HTML titles. These cameras stream video via built-in web servers, often found in homes or small offices. Many are fully exposed online, accessible via IP:port, allowing direct access or image capture through known URIs or screenshot tools, even without login credentials.

Researchers discovered that many HTTP-based cameras allow unauthenticated access to live footage by requesting a specific URI like /out.jpg. The researchers pointed out that even if a camera appears protected, knowing the right URI can bypass authentication and retrieve real-time screenshots. This highlights a serious privacy risk, as exposed devices can be accessed and monitored simply through direct HTTP requests.

RTSP-based cameras are harder to fingerprint than HTTP-based ones, as they lack clear identifiers like favicon hashes or HTML titles. Researchers analyzed RTSP Server headers to infer vendors but found limited success. To capture screenshots, they tested common RTSP URIs (e.g., /live.sdp, /video.h264) using tools like FFmpeg. RTSP is popular in professional surveillance for low-latency streaming.

Bitsight scanned the internet and identified over 40,000 exposed HTTP- and RTSP-based cameras, capturing live screenshots. Most of the cameras are in the U.S. (Approximately 14,000 exposed devices), followed by Japan (~7,000), Austria, Czechia, and others. Analysis by organizational sector showed the Telecommunications sector (79%) dominated due to widespread consumer use. Excluding telecommunications, the technology sector has the most exposed cameras (28.4%), followed by media (19.6%), utilities (11.9%), business services (10.7%), and education (10.6%).

“It’s no surprise that the Telecommunications sector accounts for the majority of exposed cameras we found. These devices are more widespread than ever and can be easily purchased by individuals to monitor their pets, home entrances, or backyards.” reads the report published by Bitsight. “Since these cameras are connected to residential internet networks, their externally accessible IP addresses are associated with the individual’s Internet Service Provider, which ultimately is a company in the Telecommunications sector.”

Thousands of exposed cameras pose real threats to privacy and safety, capturing live footage from homes, offices, stores, factories, and sensitive areas like data centers, ATMs, and even hospitals. Poorly secured DIY setups allow attackers to spy, plan robberies, or steal sensitive data. Exposed feeds include private residences, retail shops, public transport, and patient areas—revealing a wide-scale risk from improperly configured surveillance systems across all sectors.

Bitsight warns that cybercriminals are actively seeking exposed cameras on dark web forums. To stay secure, users should update devices, change default passwords, disable unnecessary remote access, secure internet connections, and monitor for suspicious logins.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, security cameras)