Mirai's hardcoded logins still answer on 554
Open webcams indexed by Shodan and Censys are not a privacy footnote - they map insecure OEM firmware, exposed services, and supply chain risk.
A Shodan query for RTSP on port 554 with screenshots enabled returns tens of thousands of live video feeds. No authentication. No login prompt. The stream renders on connect. Censys returns the same population from a different angle, indexing TLS and HTTP banners on camera management interfaces. Insecam ran for years as a curated front-end to exactly this, a directory of open feeds sorted by country and manufacturer. The feeds are the visible layer. The host serving them is the finding.
The phrase “open webcam” undersells the problem. A camera reachable on the public internet with no auth is not an isolated privacy incident. It is a public-facing application that failed the way an exposed Docker registry on port 5000 fails, the way an unauthenticated Redis instance on 6379 fails, the way an open Kubelet on 10250 fails. Missing authentication for a critical function. CWE-306. The same root cause, different banner. The camera is the indicator. The network behind it is the exposure.
The bug class repeats across the device population. Three primitives dominate, and all three trace back to the firmware vendor, not the brand on the box.
First, default and hardcoded credentials. CWE-798. The Mirai-era device fleet ran embedded Linux with Telnet or HTTP credentials compiled into the image - admin/admin, root/xc3511, root/vizxv. These were not weak passwords a user chose. They were baked in by the OEM and unchangeable on many models. Second, missing authentication entirely. RTSP streams exposed without ONVIF auth answer any client that speaks the protocol. The DESCRIBE and PLAY methods return the feed because the device was never configured to challenge the request. Third, command injection in the embedded web server. CVE-2021-36260, Hikvision, CVSS 9.8. An unauthenticated attacker sends a crafted message to the device web server and reaches OS command execution through the request handler. CWE-78. The web server runs as root on the embedded system. There is no privilege boundary above it. Code execution is root execution at first contact.
The supply chain reality sits underneath all of this. Most of these devices are not designed by the company whose logo is on them. They are OEM boards from a handful of manufacturers, rebranded across dozens of labels. Xiongmai is the canonical case. One firmware lineage, one XMeye P2P cloud stack, one set of bugs - CVE-2017-7577 path traversal among them - distributed under many names. A vulnerability in the Xiongmai board is a vulnerability in every brand that shipped it. The same dynamic killed nothing and propagated everywhere with the Boa web server. Boa was discontinued in 2005 and still ships inside IoT SDKs today. Microsoft tied Boa vulnerabilities to intrusion activity against the Indian power sector in late 2022. An abandoned web server component, embedded in vendor SDKs a decade after end-of-life, became a live entry point across critical infrastructure devices. That is the microcosm. The insecure dependency is upstream of the product, and no one downstream is patching it.
The exploit path does not begin at the camera. It begins at the scan. T1595, active scanning. An attacker enumerates by port and banner - 554 for RTSP, 80 and 8080 for the web interface, 37777 for Dahua, 34567 for Xiongmai dvrip. The banner identifies the OEM. The OEM identifies the bug. T1190, exploit public-facing application, or T1078 with default credentials where the device never demanded better. Once the device answers, it is a Linux host with network reach, a writable filesystem, and frequently root. From there it joins a botnet, relays traffic, or serves as a foothold inside whatever network terminated that public IP. The camera is rarely the objective. It is the door.
Real-world use is not theoretical. Mirai, 2016, was built primarily from default-credential IoT - cameras and DVRs the largest share - and drove the DDoS against Dyn that broke DNS resolution across much of the US east coast. T1110, brute force against Telnet on 23 and 2323. A large fraction of the source devices were Xiongmai-based. The successors kept the model and added CVE propagation. Mozi, Moobot, and the Gafgyt and BASHLITE families moved from credential brute-forcing to bolting on exploit modules. Moobot and others adopted CVE-2021-36260 within months of disclosure. The Hikvision command injection went from advisory to active botnet recruitment fast, because the patched population and the exposed population are different sets that barely overlap.
Telemetry is where defenders are blind, and the blindness is structural. The camera runs no EDR. It emits no Sysmon. There is no event log to forward, no Windows Security 4688 process creation, no Sysmon Event ID 1, no LSASS handle to watch. The device is not an instrumented endpoint. The compromise is invisible at the host because there is no host telemetry to capture it. Visibility is entirely network-side. NetFlow showing egress from a camera subnet to C2 or P2P relay infrastructure. A device that should only receive inbound viewer sessions suddenly originating outbound SYN scans against 23, 2323, and 554. Unexpected traffic leaving a VLAN that was provisioned to carry video in, not packets out. The detection is the traffic the camera was never supposed to generate. If the camera VLAN is not monitored at all - common, because the device is treated as appliance furniture - there is no signal anywhere in the stack.
The part the advisories skip is where the camera is served from and what else lives at that address. A host that exposes a camera rarely exposes only a camera. Enumerate the IP and the feed is one service among several. An open MQTT broker on 1883 carrying device telemetry without auth. A management interface left on a public port. A second RTSP stream. On VPS-hosted setups, a coexisting application sharing the same instance and the same credentials. The open camera is a reliable predictor of a poorly managed host, and a poorly managed host is a pivot. Increasingly these feeds are not on residential ISP lines but fronted by cloud P2P relay services and stood up on rented VPS infrastructure. The relay is a trust chain. The device trusts the relay, the viewer trusts the relay, and a compromise of the relay or its default account model reaches every device behind it. That is dependency confusion logic applied to physical devices. The trust sits in a component none of the operators control.
This maps directly onto Australian obligations. Surveillance feeds that capture identifiable individuals fall under the Privacy Act, and an open feed is a disclosure the operator never authorised. Camera and sensor infrastructure attached to critical-infrastructure assets falls under SOCI, including its incident reporting requirements. An exposed feed on a regulated asset is not only a security defect. It is a reportable condition. Active exploitation of any of these devices on a production network is an incident for the responsible security team to escalate, not a curiosity to probe.
The patch boundary is where the residual exposure becomes permanent. Hikvision shipped firmware closing CVE-2021-36260 across affected NVR and camera lines. The patch closes the injection. It does not reach the devices. Embedded patching is manual, rare, and impossible on end-of-life hardware that no longer receives builds. The vulnerable population stays online for years after the fix exists. Boa is worse - the project is dead, so there is no patch, only removal, and removal requires a vendor firmware rebuild that frequently never ships. The bug persists because the dependency cannot be updated in place. The atlas of open feeds is not a snapshot that gets cleaned up. It is a standing inventory of hosts whose firmware will never change.
The camera is the symptom. The exposed host is the condition, and the unpatchable OEM component underneath it is the cause. Treat an open feed as the first finding in a host enumeration, not the last, and the question stops being how many cameras are exposed. It becomes what else is answering on that IP, and who owns the firmware that put it there.
Keep Reading
residential proxiesThe device is the inventory
Smart TV apps embed residential proxy SDKs that turn devices into exit nodes. The trust failure lives in the build pipeline, not the hardware.
game securityStop Killing Games guarantees unpatched network-reachable code
Stop Killing Games is preservation law, not a security control. Statute governs publishers; it never patches the memory-corruption bugs attackers exploit.
embedded securityNo mitigations, full code execution
Memory corruption in shared embedded firmware components grants attacker code execution at firmware privilege, replicated across hundreds of vendor devices.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.