Bitsight, a cybersecurity ratings company, has issued a stark warning after its TRACE research team discovered over 40,000 internet-connected security cameras streaming live footage openly on the internet, with no passwords or meaningful security protections in place. These cameras, intended for use in homes, businesses, factories, hospitals, and even public transportation, are inadvertently providing public access to sensitive locations and information.
Key Findings
Scale and Distribution: More than 40,000 cameras worldwide are exposed, with the United States accounting for about 14,000 of these, followed by Japan, Austria, Czechia, and South Korea. Within the U.S., states like Texas, California, Georgia, and Illinois have the highest concentrations of exposed cameras.
Types of Exposed Locations: Exposed cameras were found in a wide variety of settings, including:
• Residential homes (front doors, backyards, living rooms)
• Offices (whiteboards, computer screens with confidential information)
• Factories (proprietary manufacturing processes)
• Hospitals and clinics (patient monitoring)
• Data centers, hotels, gyms, construction sites, retail stores, and public transportation (including trams and ATMs).
• Ease of Access: In most cases, anyone with a web browser and the correct IP address can access these live feeds—no elite hacking skills required. Many cameras lack even basic password protection, and some expose administrative interfaces that allow further control over the device.
Security and Privacy Risks
• Espionage and Business Risks: Attackers can use these feeds for espionage, mapping security blind spots, gathering trade secrets, or monitoring business operations.
• Personal Privacy: Cameras inside homes and private areas can be used for stalking, extortion, or burglary planning. Hospital cameras can expose sensitive patient information, raising serious privacy and regulatory concerns.
• Cybercrime Activity: Bitsight found evidence of active discussions on dark web forums where cybercriminals share information about exposed camera feeds and even sell access to them.
• Botnet Recruitment: Exposed cameras can be hijacked and used as part of botnets for launching DDoS attacks or as footholds for further network compromise, as seen in incidents involving the Mirai and leven11bot botnets.
Causes and Technical Details
• Default Settings and Poor Security: Many cameras are shipped with weak or default credentials, and users often do not change these or disable unnecessary remote access features.
• Easy Deployment: The simplicity of buying, plugging in, and streaming with minimal setup is a major contributor to the ongoing exposure.
• Detection Methodology: Bitsight used internet-wide scans targeting HTTP-based and RTSP-based cameras, developing fingerprinting techniques to identify cameras from dozens of manufacturers.
Recommendations
Bitsight urges all users and organizations to take immediate steps to secure their cameras:
• Change default usernames and passwords to strong, unique credentials.
• Disable remote access if not needed.
• Regularly update firmware to patch known vulnerabilities.
• Check if cameras are accessible from the internet and restrict access as much as possible.
