Default passwords make IP cameras surprisingly easy to hack

IP camera
(Image credit: Shutterstock)

Following the recent breach of the startup Verkada that allowed hackers to access thousands of security cameras including in jails and even Tesla offices, CyberNews decided to conduct its own investigation to find out if there are more public-facing cameras that can be easily accessed.

To conduct its research, the news outlet analyzed cameras connected to the internet worldwide made by the 30 most recognized manufacturers. In the end, CyberNews found 380,000 remote-access cameras with 27 brands selling their products with default credentials.

The exposed cameras it discovered online are all CCTV/IP cameras that can be used for CCTV surveillance both outdoors and indoors. This means that they could be recording everything from a remote parking lot or warehouse to a smart doorbell or baby camera.

What shocked CyberNews the most is the fact that the vast majority of these devices shipped with default credentials which if not changed before use, can leave them open for anyone to view. Default passwords from top IP camera manufacturers are just an online search away and even those with few technical skills could potentially access these cameras.

Exposed IP cameras

When it came to the countries with the highest number of public-facing cameras, the US topped the list followed by Germany with over 50,000 cameras while China came in third with just over 25k.

CyberNews' research indicates that the Chinese camera manufacturer HIKVision has the largest number of public-facing cameras online and the news outlet identified 124,000 of the company's cameras in use worldwide. However, they do not ship their devices with default passwords according to a company spokesperson that reached out to TechRadar Pro over email, saying:

“As a leading manufacturer of security cameras, Hikvision does not deliver cameras with a default password, and we have full implementation of a secure-by-design production process.”

The US-based manufacturer HIPCam came in second on the researcher's list with at least 85,000 cameras connected to the internet. CyberNews also identified over 73,000 public-facing cameras from the Taiwanese manufacturer D-Link.

To avoid being spied on online, both businesses and consumers should immediately change the default passwords of their security cameras after purchasing a new device. If you're unable to create a strong, complex password on your own, you can always use a password generator to create one for you and many password managers now include this capability as well.

Via CyberNews

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.