The findings raise serious questions over privacy and security, particularly given the ease with which some devices can be accessed
More than 40,000 internet-connected security cameras around the world have been found to be accessible via the open web, exposing live video streams to anyone with the right IP address, recent research reveals.
These Internet of Things (IoT) devices, used in both homes and professional surveillance systems, rely on either HTTP or Real-Time Streaming Protocol (RTSP). Cameras operating over HTTP use basic web technologies to transmit and control video feeds, while RTSP is more common in commercial installations.
The findings raise serious questions over privacy and security, particularly given the ease with which some devices can be accessed. While some systems required authentication, many were completely exposed online, with administrative interfaces openly accessible. Others, though protected by login pages, still released screenshots through exposed APIs when probed with the correct URI and parameters.
The impact spans multiple countries. The largest number of exposed devices — 14,000 — were located in the United States. Japan accounted for 7,000, while Austria, Czechia and South Korea each had around 2,000 exposed devices. Germany, Italy and Russia followed with approximately 1,000 each.
Security experts are warning that such exposure could enable malicious actors to conduct espionage, stalking, extortion and cyberattacks. In particular, fully accessible camera interfaces could allow hackers to manipulate settings or monitor spaces in real time.
wake-up call for users and manufacturers
Chris Gray, Field CTO at Deepwatch, said that visual monitoring tools like CCTV cameras should be evaluated with the same rigour as other IT systems. “There needs to be an understood purpose, expected content, classification level of the material transmitted, and appropriate security controls,” he explained. He added that even low-security consumer devices require serious consideration, especially when accessible from the public internet.
Gray emphasised the need for system hardening, network segmentation, and risk acceptance where appropriate. “These cameras are no different from legacy or minimally-capable, purpose-built devices. We make choices to use them, but that does not free us from the responsibility of securing them.”
Thomas Richards, Infrastructure Security Practice Director at Black Duck, said that many IoT security issues stem from design flaws, not user behaviour. “While something like a pet-monitoring camera may seem benign, these devices are often critically deficient in security,” he said. “Consumers are rarely informed that they may be exposing their homes to the internet.”
Richards laid responsibility squarely at the feet of manufacturers, arguing that consumers are not typically equipped with the tools or knowledge to secure their devices. “The companies that manufacture these products have the responsibility to secure them and provide customers with the necessary tools.”
More widespread than reported?
John Gallagher, Vice President at Viakoo, warned that the actual number of vulnerable cameras may be far higher than current estimates suggest. “If there are a billion IP cameras operating worldwide, just 1% being exploitable would be 10 million cameras,” he said.
Gallagher criticised the lack of basic security hygiene in many IoT deployments — such as unchanged default passwords, outdated firmware, and a failure to segment devices from wider networks. He called for IoT devices to be treated with the same information security policies as traditional IT assets, including regular password rotations and updates.
He also noted that most conventional security tools, which rely on software agents, are unsuitable for IoT and OT environments. “IoT/OT/ICS devices do not allow agents, so agentless solutions designed for these systems are critical.”
As the number of connected devices continues to climb, experts say that stronger regulation, better security practices, and increased manufacturer accountability are urgently needed to stem the growing risks to individual privacy and organisational integrity.
