Ubiquitous video surveillance has become the hallmark of the century, with millions of eyes behind billions of ever-present cameras constantly watching over our shoulders. Research by the CyberNews team shows that most public-facing cameras currently in use might utilize default passwords, which makes them exposed to anyone willing to take a peek.
A group of hackers recently managed to sneak into the daily routine of hundreds of businesses. Swiss software developer Tillie Kottmann shared screenshots on Twitter from inside a Tesla warehouse in California and an Alabama jail.
All of this was possible after people found login information for camera makers Verkada administrative tools publicly online.
Our team took on a task to see if there are more public-facing cameras that outsiders could easily access. We found over 380,000 remote-access cameras from the 30 most popular brands. Twenty-seven of them sell their products with default credentials.
How did we do it?
For this research, we have analyzed cameras connected to the internet worldwide and made by the 30 most recognized manufacturers. We have found over 380,000 public-facing cameras online. Since all internet-connected cameras are part of IoT ubiquitous computing, it is possible to find all of them.
These are all CCTV/IP cameras that can be used for CCTV surveillance, outdoors, indoors, for commercial and personal use. That is to say, that it can be everything from a remote parking lot or a warehouse to a smart doorbell or a baby camera.
Alarmingly, we found that the vast majority of the most used cameras are shipped with default credentials, which, if not changed before use, can leave the device open for anyone interested to look. Be it a pet camera or a security device.
According to our research, most public-facing cameras are operational in the United States, where we identified over 53,000 such devices.
Germany was a close second with over 50,000 cameras. Interestingly, Germany has a relatively conservative position towards privacy, famously banning Google from taking pictures for its Street View service, making Germany a rather exceptional case in Europe.
We identified at least 25,000 public-facing cameras in China, making the country third on our list. Fourth, with 18,000 cameras, is the Republic of Korea. The last to make it to the top5 is Brazil with over 10,000 cameras.
The US and Germany, however, stand out from the crowd. Even though the latter has a population of 83 million, the number of publicly accessible cameras there is similar to the one we’ve seen in the States with a population of 328 million and twice as much as in China, housing almost 1.4 billion people.
Our research indicates that HIKVision, a camera manufacturer from China, has the largest number of public-facing cameras online. We’ve identified over 124,000 HIKVision cameras in use worldwide. The manufacturer is among the industry leaders, having supplied hundreds of surveillance projects in its home country.
Default passwords for top manufacturers of cameras are a quick Google search away and doable by virtually anyone. Avoiding to change credentials of such a purchase leaves the user vulnerable to easy intrusion of privacy.
A country with the most HIKVision cameras is the United States, where at least 10,000 devices are online. Brazil operates 9,600 cameras from the same manufacturer, with China using 9,200 devices.
HIPCam, a US-based manufacturer known for their indoor and outdoor cameras, was second on our team’s list with at least 85,000 cameras connected to the world-wide-web.
We’ve also identified over 73,000 public-facing cameras from the Taiwanese manufacturer D-Link. Interestingly, most of their camera models were automatically identified by HTTP headers the company provides.
The key take out here is that 27 out of 30 manufacturers we’ve analyzed provided default passwords for their products. With some reports indicating that a whopping 15% of users do not personalize passwords, that would translate to at least 57,000 public-cameras accessible to anyone worldwide.
Users of cameras connected to the internet should be noted that using default-credentials is extremely risky, especially if the camera is accessible through public networks and is not firewalled.
Hikvision has reached out to CyberNews, claiming that companies’ cameras are not shipped with default passwords.
“As a leading manufacturer of security cameras, Hikvision does not deliver cameras with a default password, and we have full implementation of a secure-by-design production process,” a representative of the company wrote in an email.
The camera manufacturer advises installing cameras behind a firewall or connecting them via a VPN tunnel so that a security camera would never be directly connected to the internet and exposed to attacks.
Can’t think of a strong password? No worries, there’s help. Try our password generator that automatically generates strong and secure passwords.
To make it count, don’t use the same password on multiple accounts. We know it’s not easy to remember passwords, but that’s why password managers exist. Take a look at some of the best there are.
If you want to take your online privacy and security even further you should consider using a VPN service. You might want to try NordVPN or Surfshark. In case you are considering ‘vaccinating’ your computer, we have recommendations for the best antivirus protection as well.
More great CyberNews stories:
Subscribe to our monthly newsletter