A BitSight report shows that over 40,000 security cameras connected to the Internet worldwide are transmitting live images without protection, thereby jeopardising the security and privacy of their users.

People who install surveillance cameras in their homes or businesses usually do so to increase security. However, if they are careless or make mistakes, they can sometimes achieve exactly the opposite, as a recent report by BitSight TRACE shows.

Security researchers have discovered over 40,000 security cameras that transmit their recordings unprotected and visible to everyone on the Internet – without requiring a password or other form of authentication to access the stream. Security researchers pointed out this problem two years ago, but the situation does not seem to have improved since then.

According to the report, it is surprisingly easy to gain access to the live streams. All you need is a web browser and the camera’s Internet address – which means that the 40,000 cameras found are probably just the tip of the iceberg. In their investigation, the security researchers focused primarily on two types of cameras: HTTP- and RTSP-based cameras. While the former are usually found in private households, RTSP cameras are more commonly used in companies for continuous live streaming. To find unprotected cameras, the security researchers needed the camera manufacturer. They then tested specific internet addresses (URI) with which they could create live screenshots. For camera users, this means that unauthorised persons could gain access to their most private areas, for example via baby monitors or surveillance cameras at entrance doors. Private conversations could also be eavesdropped on if the camera has a microphone.

They found particularly high numbers during their research in the USA, where they discovered around 14,000 unprotected surveillance cameras, followed by Japan, Austria, the Czech Republic and South Korea. The locations from which the cameras transmitted images ranged from residential buildings to businesses. Hackers are also aware of this security vulnerability. The security researchers found numerous posts on darknet forums on this topic. Some cybercriminals even sold access to such live feeds. Earlier this year, the US Department of Homeland Security (DHS) warned that cameras, especially those manufactured in China, often lack basic security, which could be exploited by spies and cybercriminals. Footage from locations such as hospitals and data centres could be used for espionage or even to plan robberies.

Users of cameras with internet access should therefore make sure that they secure their devices to prevent unauthorised access. How this works depends on the device used and should be explained in the user manual. If there are no security settings – which is unfortunately still the case with some manufacturers despite the very real danger – it is better not to use the device.