Research shows that more than 40,000 Internet of Things (IoT) security cameras across the globe are exposed online. 

These cameras operate over HTTP or Real-Time Streaming Protocol (RTSP) and expose live feeds to any individual able to access the corresponding IP address — directly from a web browser.

The HTTP-operating cameras depend on conventional web technology for video control and transmission, and are often found in homes or offices. Malicious actors could leverage these exposed cameras to conduct espionage, extortion, stalking and cyberattacks. 

The RTSP cameras are more often utilized in professional surveillance systems and are more challenging to fingerprint. However, they were responsive to generic URIs and would return screenshots of live footage. 

According to the research, some cameras were determined to be entirely exposed to the web while others needed authentication. Cameras that were entirely exposed could have administrative interfaces accessed, enabling malicious actors to tap into the video feed. As for the cameras that required authentication, providing correct URI and parameters via an implemented API would release screenshots of live footage. 

Among the cameras that were exposing live feeds, the breakdown is: 

• 14,000 in the United States 
• 7,000 in Japan
• Approximately 2,000 each in Austria, Czechia and South Korea
• Approximately 1,000 each in Germany, Italy and Russia

Below, security leaders share their insights on these findings. 

Security Leaders Weigh In 

Chris Gray, Field CTO at Deepwatch:

Generally speaking, CCTV or other visual monitoring solutions need to be evaluated like any other toolset. There needs to be an understood purpose, expected content/exposure, classification level(s) of expected transmission materials, and applicable security controls applied.

In many cases, these cameras may be, as some have said, for personal use and/or low security levels of monitoring that provide no real exposure if the information was accessed. That said, they need to be evaluated in a similar fashion to more high security devices.

End users, whether individuals using these platforms at home or businesses integrating cameras into their monitoring fabric, need to take steps to address the issues identified above (purpose, content, classification, and control coverage). Individual risk tolerances will come into play along with various laws and compliance obligations. Systems which are available to access from the open internet should be expected to be accessed eventually.

As security practitioners, it is our responsibility to communicate these issues, perform the end-to-end evaluations, and recommend the expected protections. These can include acceptance of the risk, system hardening (if available), network access segmentation, and, for particularly insecure systems, even system and path encapsulation in point-to-point models.

At the end of the day, these cameras are no different from any number of legacy or minimally-capable, purpose-built devices. We make choices to use them, but that does not free us from the responsibility of doing so at a level of security that is appropriate to the materials we are protecting. The total cost of ownership of these platforms can be far beyond what was initially expected after these evaluations are performed.

Thomas Richards, Infrastructure Security Practice Director at Black Duck:

Security professionals have been concerned about the IoT ever since these consumer products were released. While something, such as a camera to monitor pets, may seem benign, the security of these devices is often critically deficient. It’s regularly not even the consumer’s fault for not securing these products; they just don’t have the capability to be secure. The consumer purchases the camera and downloads the mobile app without knowing that they have exposed the inside of their house to strangers on the internet. The companies that manufacture these products have the responsibility to secure them and provide customers with the necessary tools to make them secure.

John Gallagher, Vice President at Viakoo:

IP cameras, and IoT devices in general, are among the most easily hacked devices within an organization because they often are setup without security in mind (e.g. using default passwords), do not have their firmware updated regularly, and are not on hidden or segmented networks.  The numbers in this Bitsight report are likely very underestimated; if there are a billion IP cameras operating worldwide, just 1% being exploitable would be 10 million cameras.  

Organizations should follow a simple rule: if it’s an IP connected device it should be secured by following the same InfoSec policies as servers, laptops, or mobile devices. For example, what is the policy on firmware updates or password rotations, and are the CPS (cyber-physical systems, or IoT/OT/ICS) also being maintained to those policies. Using solutions for asset discovery and cyber hygiene specifically designed for CPS (IoT) is critical. Most security solutions are agent-based, meaning an agent is placed on the device. IoT/OT/ICS devices to not allow this and therefore require using agentless solutions.