This article was originally published by Jazz Cyber Shield.
You installed a security camera to feel safer. That is completely reasonable. But here is the question most people never ask after plugging one in: who else can see what it sees?
The answer, for a shocking number of households and small businesses, is: anyone who looks.
This is not a theoretical threat. Security researchers, journalists, and hobbyists have demonstrated repeatedly that thousands of cameras — in homes, offices, nurseries, and warehouses — are accessible to complete strangers on the internet. Not because of sophisticated nation-state hacking. Because of default passwords that were never changed, firmware that was never updated, and routers that silently opened doors to the outside world without the owner knowing.
If you are a developer, sysadmin, or just someone who cares about how connected devices actually work, this post breaks down the real attack surface of consumer security cameras — and gives you a practical path to locking yours down.
The Attack Surface: Where Cameras Go Wrong
Consumer security cameras fail in surprisingly consistent ways. Understanding the failure modes is the first step toward fixing them.
1. Default Credentials
Every camera ships from the factory with a default username and password. Common examples include admin/admin, admin/12345, and root/root. Manufacturers publish these in product manuals. Third-party sites aggregate them into searchable databases.
Automated bots continuously scan the internet for exposed camera interfaces and test known default credentials against them. This requires no skill and no special tools. It is pure automation. If you never changed your camera's default password, your device is likely already indexed and accessible.
The fix is simple: change the password immediately on setup. Use a randomly generated string of at least 16 characters and store it in a password manager.
2. Shodan and Open Port Exposure
Shodan is a search engine that indexes internet-connected devices rather than websites. It scans the entire IPv4 address space, probes common ports, and records what it finds. Anyone with a free account can search it.
A search for a popular camera brand or common camera ports — 80, 554, 8080, 8554 — returns thousands of live results, complete with device model, firmware version, geographic location, and in many cases a direct link to the live stream or admin panel.
These cameras are not hacked. They are simply exposed. A combination of weak router configuration and a feature called Universal Plug and Play (UPnP) causes many cameras to automatically open ports to the internet when they connect to a network — without the owner ever being asked or informed.
To check your own exposure, look up your public IP at whatismyip.com and then search it on shodan.io. If your camera appears in the results, it is publicly accessible.
3. Unpatched Firmware
The budget end of the camera market is dominated by unbranded hardware manufactured at scale, sold under dozens of different labels, and rarely maintained after the initial release. These devices frequently ship with known vulnerabilities — hardcoded backdoor credentials, unauthenticated API endpoints, buffer overflows — and never receive patches.
Security researchers have found that many cameras from different brand names run identical firmware with identical vulnerabilities, because they all come from the same original manufacturer. Once a vulnerability is published, it is exploitable across the entire product family, regardless of what name is printed on the box.
The lesson for developers is familiar: supply chain matters. The cheap component you chose for its price tag carries the security posture of whoever made it.
4. Unencrypted Transmission
Older and cheaper cameras frequently transmit video over plain HTTP rather than HTTPS, and stream using the RTSP protocol with no encryption or authentication. On any shared network, a passive observer running a tool like Wireshark can capture the raw video stream without touching the camera at all.
This is not a sophisticated man-in-the-middle attack. It is passive observation of data that was never protected in the first place.
Developers building systems that integrate camera feeds should verify at the protocol level that streams are encrypted in transit. Assuming the vendor handled it is not sufficient.
5. Cloud Account Hijacking via Credential Stuffing
Modern consumer cameras — Ring, Nest, Arlo, Wyze — have improved their device-level security considerably. The weak point has shifted upstream to the cloud account.
Credential stuffing works like this. Billions of username and password pairs have been leaked in data breaches over the past decade. These lists are freely available and constantly refreshed. Attackers run automated tools that test these credential pairs against popular login endpoints at high volume.
If a user reused a password from a breached service for their camera cloud account, the attacker gets in. No vulnerability required. No brute force. Just a leaked password from an old account, tested against a new one.
The defence is two-factor authentication and unique passwords per service. Developers building authentication systems should also implement rate limiting, anomaly detection on login geography, and breach password checking at registration time — the Have I Been Pwned API makes this straightforward.
6. Local Network Pivoting
A camera on the same flat network as a developer's workstation, a home server, or a NAS device is a liability that extends well beyond video footage. Once an attacker gains a foothold on a compromised camera — through any of the methods above — they can use it as a pivot point.
From a compromised IoT device on your network they can conduct ARP spoofing to intercept traffic, scan internal hosts and services, attempt lateral movement to devices that trust the local network, and exfiltrate data through the camera's existing outbound connection.
Network segmentation is the answer. Cameras belong on their own VLAN or isolated guest network, with firewall rules that prevent them from initiating connections to the rest of your network.
A Real-World Example Worth Knowing
In 2019, Vice reported that compromised Ring camera accounts were being sold on dark web forums for as little as six dollars each. Buyers used these credentials to access live home feeds and, in multiple documented cases, used the two-way audio feature to speak directly to the families inside — including to children in their bedrooms.
This was not a zero-day exploit. It was credential stuffing against accounts with no two-factor authentication enabled.
The Developer's Checklist
If you manage infrastructure, build IoT integrations, or simply own a camera, here is what actually matters:
On the device itself:
Change the default admin credentials the moment the device is set up. There is no excuse for leaving them in place. Enable HTTPS on the admin interface if the camera supports it. Disable any services you are not using — Telnet, FTP, UPnP — especially if the device exposes them by default. Update the firmware and set a reminder to check for updates periodically.
On the network:
Isolate cameras on their own network segment, either a dedicated VLAN or a guest Wi-Fi network with client isolation enabled. Disable UPnP on your router. If you need remote access, use a VPN tunnel rather than exposing ports directly to the internet. Audit your router's port forwarding rules and close anything you did not intentionally open.
On the account side:
Enable two-factor authentication on every cloud service associated with your cameras. Use a unique, randomly generated password for each account. Check your email addresses against haveibeenpwned.com and rotate credentials for any service that shares a password with a breached account.
On purchasing decisions:
Prefer cameras from manufacturers with active security programmes, public vulnerability disclosure policies, and a track record of releasing firmware updates. Treat unbranded hardware with the same suspicion you would apply to an open-source dependency with no maintainer and no recent commits.
For Those Who Want Full Control
If the idea of trusting a camera vendor's cloud infrastructure makes you uncomfortable — and it should, at least a little — local-only setups are a real option.
Home Assistant combined with Frigate NVR allows you to run a fully local camera system with no cloud dependency, no vendor account, and no outbound video transmission. Footage stays on your hardware. Access is controlled by you. The setup requires more effort than plugging in a consumer camera and downloading an app, but the security model is fundamentally better.
For anyone building internal monitoring systems for offices, labs, or server rooms, this approach is worth considering seriously.
The Broader Point
Security cameras make a compelling case study in a recurring problem in software and hardware: the gap between the security story a product tells and the security it actually delivers.
A camera marketed as a security product creates a strong implicit promise. Users extend it trust they might not give a random IoT thermostat. That trust is frequently unearned. The threat model for a device with a microphone and lens pointed at private spaces is substantially higher than the threat model for a connected lightbulb, and the manufacturers of cheap cameras rarely treat it that way.
As developers we understand the pressures that produce this outcome — tight margins, fast release cycles, features that users can actually see beating out security that they cannot. But understanding the pressure is not the same as accepting the outcome. The person whose baby monitor gets compromised does not care about the manufacturer's margin calculations.
The technical steps are not complicated. Most of the damage here is done by defaults — default passwords, default open ports, default flat networks. Changing defaults takes minutes. It just requires knowing that the defaults are dangerous in the first place.
That is what this post is for.
Summary
The camera pointing at your front door, your living room, or your server rack is only as secure as the choices made during setup — and most setups leave the defaults intact. Default credentials, open ports, unencrypted streams, unpatched firmware, and reused cloud passwords combine to create a device that survives as a liability while operating as a feature.
Change the password. Enable two-factor authentication. Update the firmware. Put it on its own network. Use a VPN for remote access. Check Shodan. Buy from vendors who take security seriously.
The lens points both ways. Make sure you are the only one looking through it.
Top comments (0)