US Tops List of Unsecured Cameras Exposing Homes and Offices

A new study by BitSight TRACE shows that over 40,000 security cameras connected to the internet are openly available for anyone to see. These cameras, meant to keep us safe, are actually putting us at risk because they don’t have passwords or any protection. Bitsight first warned about this problem in 2023, and unfortunately, things haven’t gotten better.

It’s surprisingly easy to access these cameras; usually, all you need is a regular web browser and the camera’s internet address. This means the 40,000 cameras found are likely just a small part of a much bigger issue.

These exposed cameras are all over the world, with the United States leading the way with about 14,000. Japan comes in second, followed by Austria, Czechia, and South Korea. They are found in many places, from homes to sensitive businesses.

For individuals, an open camera means anyone could be watching your baby monitor, home security camera, or pet cam without you knowing. If the camera has a microphone, private conversations could also be listened in on.

BitSight looked at two main types of internet cameras: HTTP-based cameras and RTSP-based cameras. HTTP cameras are usually what you find in homes, while RTSP cameras are more common in businesses for continuous live streaming.

To find these cameras, BitSight had to figure out which manufacturer made them and then test specific internet addresses. Researchers found that by knowing the right internet address (URI), they could get a live screenshot without a password, and used common RTSP paths to try and capture screenshots.

These open cameras offer a view into many private spaces:

• Public transport: Streaming passengers.
• Factories: Exposing manufacturing secrets.
• Homes: Showing front doors, backyards, and living rooms.
• Offices: Revealing whiteboards and computer screens with secret information.

The research reveals that bad actors, like cybercriminals and spies, are paying close attention as BitSight found discussions on the dark web where people talk about how to find and use these exposed cameras. Some even sell access to live feeds.

For individuals, an open camera means anyone could be watching your baby monitor, home security camera, or pet cam without you knowing. If the camera has a microphone, private conversations could also be listened in on.

The US Department of Homeland Security (DHS) even warned earlier this year that cameras, especially those made in China that often lack basic security, could be used by spies. This isn’t just a made-up problem; it’s happening right now, with feeds from places like hospitals and data centers being exposed, which could be used for espionage or even planning robberies.

Bitsight emphasizes that safeguarding these cameras is crucial for individuals and organizations alike. Key recommendations include checking if your camera is remotely accessible without a secure login, keeping firmware updated, changing default usernames/passwords to strong ones, and disabling remote access.

For organizations, it is advised to restrict access with firewalls and Virtual Private Networks (VPNs) and to set up alerts for any unusual login attempts. For further guidance, Bitsight’s full report, called “Big Brother Is Watching (And So Is Everyone Else),” has all the details.

Thomas Richards, Infrastructure Security Practice Director at Black Duck commented on the latest development, stating, “Security professionals have been concerned about the Internet of Things (IoT) ever since these consumer products were released. While something, such as a camera to monitor pets, may seem benign, the security of these devices is often critically deficient.“

“It’s regularly not even the consumer’s fault for not securing these products; they just don’t have the capability to be secure,“ he explained. “The consumer purchases the camera and downloads the mobile app without knowing that they have exposed the inside of their house to strangers on the Internet. The companies that manufacture these products have the responsibility to secure them and provide customers with the necessary tools to make them secure,” Thomas emphasised.