Bitsight has uncovered a massive network of connected security cameras that are offering an open window to anyone on the internet.
The cybersecurity outfit found more than 40,000 accessible connected security cameras, streaming live footage from sensitive locations including private homes, company offices, factories, and even hospital rooms.
For tens of thousands of devices, a simple web browser and the correct IP address are all an attacker needs to begin spying.
“We’re now in 2025 and this surveillance threat is still a thing, not because of a totalitarian government but rather from this new paradigm where everything is connected to the internet,” Bitsight states.
The scale of the problem is vast, with the US having the highest number of exposed devices at approximately 14,000, followed by Japan with around 7,000. Other significantly affected countries include Austria, Czechia, and South Korea, each with about 2,000 exposed cameras. The researchers at Bitsight believe they have “only scratched the surface.”
Bitsight’s investigation was conducted ethically, without attempting to guess weak passwords or exploit known vulnerabilities. They are confident that if they had tested for easily guessable or hardcoded credentials, “the scale of the problem would be even more alarming.”
The core of the issue often lies in user convenience being prioritised over security. Many individuals and organisations purchase and install connected security cameras with minimal setup, often skipping essential configurations like changing default login details or enabling user authentication. This oversight turns a tool for safety into a major vulnerability.
For individuals, the implications are deeply invasive. An exposed camera, whether a baby monitor or a pet cam, means zero privacy. Malicious actors could be watching a family’s movements, and if the camera has a microphone, they could be eavesdropping on private conversations. This constant surveillance could be used to time a robbery for when a house is empty or to gather material for extortion.
For organisations, the risks multiply, potentially leading to espionage, reputational damage, and severe financial losses. The report highlights numerous alarming scenarios. Attackers with access to an office camera can monitor which employees come and go, what security measures are in place, or even read confidential information from whiteboards and computer screens. The research found a worrying number of businesses – from small shops and restaurants to large corporations – using cheap, improperly configured DIY CCTV systems.
Bitsight’s investigation uncovered exposed connected security cameras in a multitude of commercial settings. In retail, cameras were seen monitoring smartphone stores and jewellery showcases, allowing potential burglars to remotely case a location, identify valuable items, and plan their break-in for when the premises are empty. One example showed a camera inside a luxury car dealership, freely displaying a collection of high-value vehicles including a Porsche, two Corvettes, a Bentley, and a Mercedes-Benz.
The threat extends to industrial and critical infrastructure. Exposed cameras were found monitoring factory floors, giving competitors a direct view of proprietary manufacturing processes. Even more concerning was the discovery of cameras monitoring datacentres and IT server rooms. In these highly sensitive areas, there is absolutely no reason for footage to be accessible on the open internet, as it allows attackers to map blind spots and plan unauthorised physical access.
Perhaps the most disturbing findings were those in uniquely sensitive environments. The research team uncovered cameras monitoring ATMs, a perfect setup for fraudsters who could remotely watch users enter their PINs to facilitate theft. They also found cameras installed inside what appeared to be trams, creating an obvious privacy risk for passengers of a public transport company.
Bitsight even confirms the discovery of cameras in hospitals or clinics monitoring patients. Due to the “highly sensitive nature” of this scenario, the screenshots were deliberately withheld.
The exposed connected security cameras are not merely passive surveillance risks. They can be actively weaponised. An attacker can compromise a camera and incorporate it into a botnet to launch large-scale cyberattacks, such as the infamous Mirai botnet or recent Distributed Denial of Service (DDoS) attacks.
The Akira ransomware group has already demonstrated this risk by exploiting webcams to deploy its malicious software. This danger is so significant that the US Department of Homeland Security has raised alarms that such cameras could be used for espionage and pose a direct threat to critical infrastructure.
To combat this widespread issue, Bitsight urges both individuals and companies to take immediate, simple, but essential precautions. For home users, it is crucial to change default usernames and passwords to something strong and unique. Remote access should be disabled if not explicitly needed, and camera firmware must be kept updated to patch security vulnerabilities.
For organisations, the guidance is to restrict access to connected security cameras using firewalls and VPNs, ensuring only authorised personnel can view the feeds. Continuous monitoring for unusual activity and setting up alerts for unexpected login attempts are also vital defensive measures.
By taking these steps, individuals and organisations can reclaim their privacy and ensure their security devices aren’t creating a vulnerability.
(Photo by Lianhao Qu)
See also: Dawn of eSO platforms: SGP.32 to shake-up IoT connectivity
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
