At a time where surveillance is synonymous with safety, the very tools designed to protect us are exposing a growing vulnerability.
Internet-connected security cameras installed to monitor homes, businesses, and public spaces are increasingly being found wide open to the world. The consequences are no longer theoretical.
From quiet residential streets to the heart of critical infrastructure, unsecured cameras are being co-opted, exploited, and in some cases, weaponized.
Cameras as a Threat Vector
At first glance, some of these exposures may seem trivial. Cameras streaming serene beachfronts or remote bird feeders are sometimes meant to be public. Services like EarthCam and Webcamtaxi thrive on it. But the interface behind these live feeds is often far more permissive than it should be.
Too many of these devices run outdated HTTP interfaces that don’t just offer footage, they expose administrative controls. Bitsight TRACE researchers have observed camera dashboards with no login protection at all. In some cases, they’ve found interfaces that allow remote feature activation, including SSH. That’s an open door.
These are the same doors that botnets like Mirai and Eleven11bot have used to recruit compromised cameras into massive, distributed denial-of-service (DDoS) attacks. Recently, the Akira ransomware group went one step further, leveraging exposed cameras to gain initial access for data theft and ransomware deployment.
Surveillance Without Consent
The risks become personal and alarming when the lens turns indoors.
In one analysis, researchers found hundreds of live camera feeds revealing private homes. Living rooms, driveways, entry gates. Some were clearly installed for good reason: to check on elderly relatives, monitor deliveries, or keep an eye on pets. But poor security meant that anyone could watch.
For attackers, these feeds are voyeuristic opportunities and intelligence sources. A view into daily routines, habits, and vulnerabilities. When people come and go. When a home is empty. In the wrong hands, this information could be used to time a break-in, or worse.
Businesses Aren’t Immune
Across industries, organizations are unknowingly streaming their internal operations to the internet, often out of a desire to cut costs with DIY CCTV solutions.
Shops, gyms, restaurants, laundromats, construction sites; all have been found with exposed security feeds. So have office spaces, where visible screens and workstations could leak sensitive information through remote shoulder surfing. The footage is rarely protected, and often linked directly to IP addresses traceable back to the business.
Even cameras monitoring billboards were exposed, likely set up to verify ad placements but never intended for public viewing. In some cases, entire chains of identical camera models were traced back to single organizations, suggesting systemic misconfiguration at scale.
Sensitive Infrastructure at Risk
More troubling are the exposures inside critical environments. Hospitals, factories, and even data centers have all been found with internet-facing surveillance systems.
In factories, exposed cameras can reveal production lines and proprietary processes, a boon for industrial espionage. In hospitals, live patient feeds raise immediate concerns around privacy and potential regulatory violations. In data centers, cameras showing server racks or access doors offer adversaries valuable reconnaissance.
In one particularly concerning case, a camera was found monitoring an ATM. The placement and angle left little doubt: someone could use it to capture PIN entries without installing their own equipment. This type of exposure is a privacy issue and a fraud enabler.
Public Transit, Public Exposure
Researchers also found surveillance cameras installed inside public trams, visible through open IP streams. While possibly used for legitimate operational purposes, their unsecured status exposed passengers to unwanted observation. No authentication. No warning.
It’s the kind of quiet failure that often goes unnoticed.
Securing the Feed
Many of these incidents share a common root cause: poor default configurations. Cameras are often shipped with weak or default passwords, outdated firmware, or remote access enabled by default. Once connected to a network, they are frequently forgotten, left unmonitored, unmanaged, and exposed.
For individuals, the fix is straightforward, if not always intuitive:
- Change default credentials.
- Disable remote access unless absolutely necessary.
- Routinely check whether your camera is accessible from outside your home network.
- Update firmware regularly.
For organizations, the requirements are more robust:
- Block camera access from the open internet unless justified and secured.
- Use VPNs or firewalls to restrict remote viewing.
- Audit camera deployments periodically.
- Monitor for unusual access or login attempts.
Security cameras are here to stay. But visibility must be managed, not assumed. Because when everyone can see what you’re seeing, you’re no longer the one watching.
Built Without Security in Mind
John Gallagher, Vice President at Viakoo, says: “IP cameras, and IoT devices in general, are among the most easily hacked devices within an organization because they often are setup without security in mind (e.g. using default passwords), do not have their firmware updated regularly, and are not on hidden or segmented networks. The numbers in this Bitsight report are likely very underestimated; if there are a billion IP cameras operating worldwide, just 1% being exploitable would be 10 million cameras.”
There have been several reports of malicious hackers using IP cameras to place botnet armies, the most famous of which was the Mirai botnet attack in 2016 that used physical security systems to launch attacks from, he adds. “However, the Mirai botnet army peaked at about 600,000 infected IoT devices, primarily physical security devices. 40,000 compromised devices is minor in comparison.”
Whether it’s “Big Brother” or cyber-criminal gangs, yes, they are watching us, Gallagher adds. “Often IP cameras are used within a cyber kill chain to perform reconnaissance, or to host malware that can use lateral movement and it’s placement on the network to access more sensitive corporate data.”
Organizations should follow a simple rule, he says. “If it’s an IP connected device it should be secured by following the same InfoSec policies as servers, laptops, or mobile devices. For example, what is the policy on firmware updates or password rotations, and are the CPS (cyber-physical systems, or IoT/OT/ICS) also being maintained to those policies. Using solutions for asset discovery and cyber hygiene specifically designed for CPS (IoT) is critical. Most security solutions are agent-based, meaning an agent is placed on the device. IoT/OT/ICS devices to not allow this and therefore require using agentless solutions.”
Evaluate Like High Security Devices
According to Chris Gray, Field CTO at Deepwatch, generally speaking, CCTV or other visual monitoring solutions need to be evaluated like any other toolset. “There needs to be an understood purpose, expected content/exposure, classification level(s) of expected transmission materials, and applicable security controls applied. In many cases, these cameras may be, as some have said, for personal use and/or low security levels of monitoring that provide no real exposure if the information was accessed. That said, they need to be evaluated in a similar fashion to more high security devices.”
Gray says end users, whether individuals using these platforms at home or businesses integrating cameras into their monitoring fabric, need to take steps to address the issues identified above (purpose, content, classification, and control coverage). Individual risk tolerances will come into play along with various laws and compliance obligations. Systems which are available to access from the open Internet should be expected to BE accessed eventually.
“As security practitioners, it is our responsibility to communicate these issues, perform the end-to-end evaluations, and recommend the expected protections,” continues Gray. “These can include acceptance of the risk, system hardening (if available), network access segmentation, and, for particularly insecure systems, even system and path encapsulation in point-to-point models.”
These cameras are no different from any number of legacy or minimally capable, purpose-built devices, Gray ends. “We make choices to use them, but that does not free us from the responsibility of doing so at a level of security that is appropriate to the materials we are protecting. The total cost of ownership of these platforms can be far beyond what was initially expected after these evaluations are performed.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.