A new report from cybersecurity firm BitSight reveals that more than 40,000 internet-connected cameras, ranging from home security devices to medical monitoring systems, are accessible online with little or no protection. The exposed devices include CCTV cameras, baby monitors, bird feeders, ATMs, and surveillance cameras in hospitals and public transportation systems. The findings highlight persistent vulnerabilities in the growing network of consumer and commercial Internet of Things (IoT) devices.
Cameras Found in Homes, Hospitals, and Public Spaces
According to BitSight’s research, many of the cameras identified required no advanced hacking techniques to access. In most cases, a standard web browser was sufficient to reach live camera feeds or still images. The company emphasized that these vulnerabilities pose serious privacy risks, especially in sensitive locations such as healthcare facilities. “The most concerning examples found were cameras in hospitals or clinics monitoring patients,” said João Cruz, Principal Security Research Scientist at BitSight.
The researchers were also able to confirm that some of the exposed footage had been shared or sold through dark web forums, where illicit access to unsecured devices is commonly traded. The scope of the problem is difficult to determine due to the vast number of manufacturers and models currently in circulation, each with different default settings and exposure points. Cruz noted that the figure of 40,000 likely underrepresents the total number of vulnerable devices.
In its press release, BitSight warned that many users may be unaware their devices are accessible from outside their network. Devices configured with default login credentials, or those with outdated software, are particularly at risk. The company said it did not attempt to hack or force entry into the devices but believes the number of exposed systems would be significantly higher if those techniques were applied.
Physical Security Risks and Data Exposure
The report outlines several real-world dangers associated with open access to camera feeds. In homes, exposed cameras can allow unauthorized parties to monitor when residents are present, potentially enabling break-ins. In offices, cameras positioned near computer terminals can be used for “shoulder surfing,” a method for capturing passwords or sensitive information by watching users during login processes. Retail environments, gyms, and laundromats were also among the locations where unprotected cameras were discovered.
Another concern involves how exposed camera feeds, when combined with IP address data and facial recognition technology, could be used to track individuals in specific locations. For example, a camera installed at a construction site or parking garage could potentially be used to monitor employee movements or surveil customers without consent. BitSight’s report underscores the growing risk of combining low-security devices with increasingly accessible surveillance technologies.
While the company did not name specific brands, it noted that legacy systems with unpatched vulnerabilities or default configurations are more likely to be exposed. Cruz advised users to check manufacturer documentation, change default passwords, and verify device settings through tools like Shodan.io, which scans the internet for unsecured connected devices. He also emphasized that users should avoid connecting new cameras without first reviewing their network configuration.
Global Incidents Underscore Escalating Threats
The implications of unsecured surveillance cameras extend beyond personal privacy. In recent years, attackers have exploited vulnerable camera systems to carry out more coordinated and strategic intrusions. In one case earlier this year, the hacking group Akira breached an organization using an unsecured webcam after a previous attempt had been thwarted by cybersecurity protections. The compromised camera provided an entry point for further system infiltration.
Internationally, camera vulnerabilities have been exploited for military purposes. In 2024, the Ukrainian government urged citizens to disable broadcasting cameras after Russian agents hijacked devices at residential and public sites. The attackers redirected the cameras to focus on infrastructure targets, using the footage to plan missile strikes. As a precaution, Ukrainian authorities disabled access to more than 10,000 internet-connected security cameras.
In a May 2025 report, the Joint Cybersecurity Advisory warned that Russian espionage units have continued to target private and municipal camera systems. These intrusions are part of broader efforts to monitor supply chains, troop movements, and materials entering Ukraine. The findings underscore how even seemingly benign devices can become instruments of geopolitical surveillance when left unsecured.