Authors: Cheok Ieng Ng (ngcheokieng@gmail.com ), Maryam Mehrnezhad (maryam.mehrnezhad@rhul.ac.uk )
This paper will be published via Springer’s Lecture Notes in Computer Science (LNCS), accepted and presented at International Conference of Security Standardisation Research (SSR), 2024. Link to open-access full paper: TBD
Introduction
In today’s world, where smart devices are ubiquitous in our homes and workplaces, IP cameras stand out for their practicality and ease of use. They provide real-time video feeds for home security, pet monitoring, and more. However, like many IoT devices, their rapid adoption brings significant security and privacy concerns. In our research we investigated UK publicly accessible IP cameras available on Shodan, an online search engine for internet-connected devices, highlights these risks.
What is an IP Camera?
An IP camera is a digital camera that uses the internet to send and receive video. Unlike traditional CCTV cameras, IP cameras don’t need a local recorder. They can be accessed directly over a network, making them ideal for surveillance. Additionally, IP cameras support advanced features such as motion detection, two-way audio, and cloud-based storage, further enhancing their capability for both residential and commercial security systems.

IP Cameras: A Double-Edged Sword
IP cameras have transformed the surveillance landscape, replacing traditional CCTV systems with internet-enabled devices that offer features like motion detection and cloud storage. However, these attractive features also introduce vulnerabilities. Misconfigurations during setup or manufacturing can leave these cameras exposed to unauthorized access.
This research examined 281 publicly accessible UK-based IP cameras indexed on Shodan, uncovering alarming vulnerabilities, such as unsecured RTSP (Real-Time Streaming Protocol) connections and footage accessible without authentication. Following our initial findings, we then focused on a subset of 7 captured footage and qualitatively analysed the privacy risk exposure.
Key Findings
Exposure of Residential Spaces
Over 76% of the IP cameras analysed were found to be installed in residential areas. These devices were often placed outdoors to monitor entry points and surrounding areas. The footage captured by these cameras frequently included sensitive details, such as the layout of homes, daily routines of residents, and even identifiable individuals, posing significant privacy concerns.
Shodan as a Risk Multiplier
Shodan, a search engine for connected devices, amplifies the risks associated with unsecured IP cameras. By indexing these devices, Shodan provides malicious actors with easy access to locate and exploit vulnerable cameras. Additionally, cached footage and metadata provide insights into a camera’s location and usage patterns, further compromising security.
AI Enhancing Risk
The use of advanced AI tools like ChatGPT demonstrates both the capabilities and potential dangers of modern technology. Analysis of camera footage using AI can extract detailed information, such as property type, the presence of individuals, and environmental context. While valuable for legitimate purposes, such tools could also be misused to automate malicious activities, including stalking or targeting individuals.
Legislative Gaps
Existing regulations, such as the GDPR and the UK’s PSTI Act, fail to adequately address the security challenges posed by IP cameras. These legislative frameworks lack specificity regarding IP camera security requirements, resulting in inconsistent levels of protection. Manufacturers also face significant challenges due to the diversity of global standards, which increase costs and complicate compliance efforts.
The Broader Implications
The study highlights a troubling paradox: while IP cameras are designed to enhance physical security, their vulnerabilities often lead to online privacy breaches and security risks. For example, an outdoor camera designed to deter intruders might unintentionally broadcast sensitive footage accessible via Shodan.
These risks are not limited to individual users. Compromised cameras can serve as entry points for larger cyberattacks, such as Distributed Denial-of-Service (DDoS) campaigns, or act as nodes in botnets like Mirai.
Mitigation Strategies
To address these challenges, the study suggests a comprehensive approach:
For Users
Users should prioritise changing default passwords on their IP cameras and enabling encryption to protect their data. It is equally important to regularly update the firmware on these devices and avoid using outdated models that may lack critical security updates. When selecting a camera, users should opt for devices with robust built-in security features to minimize vulnerabilities.
For Manufacturers
Manufacturers should adopt security-by-design principles, ensuring that features like encryption and authentication are enabled by default in their devices. Providing clear and accessible user guides is essential to help users understand how to secure their cameras effectively. Additionally, manufacturers must commit to post-sale support by offering timely firmware updates to address emerging security threats.
For Regulators
Regulators should enforce uniform global standards for IoT security to eliminate regional loopholes that may weaken protections. Mandating basic security measures, such as encryption, for all IoT devices is critical. Public awareness campaigns should also be promoted to educate users about the importance of securing their IoT devices and the steps they can take to safeguard their privacy.
Conclusion
The increasing popularity of IP cameras highlights the critical need for stronger security measures. This study shows that failing to act can lead to serious consequences, from privacy breaches to large-scale cyber threats. By fostering user vigilance, ensuring manufacturer accountability, and implementing robust regulatory frameworks, we can ensure that these devices fulfil their promise of safety without compromising security.
Are your IoT devices secure? Check their settings today and ensure they are configured to protect your privacy. Together, we can make the digital world a safer place.