Big Brother is Back—And He’s Not Alone: The Disturbing Reality of 40,000 Exposed Security Cameras

When George Orwell envisioned a world of unrelenting surveillance in 1984, he imagined government agents behind every lens. Today’s watchers are less centralized, more chaotic—and in many cases, terrifyingly easy to become. According to a bombshell report from Bitsight TRACE, more than 40,000 internet-connected security cameras are currently streaming live footage directly onto the public internet, with no authentication required. It doesn’t take a state-sponsored hacker to tune in—just a browser and a lucky IP address.

This vast exposure paints a grim picture of our increasingly digital yet disturbingly porous physical world, where living rooms, boardrooms, and factory floors are silently broadcasting to anyone who knows where to look.

From Baby Monitors to Botnets

The footage isn’t just mundane scenes of pets or porches. It includes office workspaces, jewelry stores, data centers, hospitals, even ATM machines. What was meant to enhance security has instead created new threat vectors for espionage, reconnaissance, and extortion.

“It’s regularly not even the consumer’s fault for not securing these products; they just don’t have the capability to be secure,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck. “The consumer purchases the camera and downloads the mobile app without knowing that they have exposed the inside of their house to strangers on the Internet. The companies that manufacture these products have the responsibility to secure them.”

Bitsight researchers discovered that many devices rely on simple, hardcoded URIs like /out.jpg to serve live snapshots without requiring login credentials. Some brands don’t even obfuscate or limit access to the admin panel, exposing sensitive controls to the public.

The United States: Surveillance Capital

Of the more than 40,000 cameras uncovered, the U.S. leads the exposure tally with nearly 14,000 devices, followed by Japan, Austria, and the Czech Republic. Many of these are home security systems installed by individuals and small businesses that likely had no idea their feeds were exposed to the world.

And as cybersecurity experts warn, the risks go far beyond personal privacy.

“These cameras are no different from any number of legacy or minimally-capable, purpose-built devices,” said Chris Gray, Field CTO at Deepwatch. “We make choices to use them, but that does not free us from the responsibility of doing so at a level of security that is appropriate to the materials we are protecting.”

Gray emphasized that both consumers and organizations must evaluate these systems through a full security lens—classification, exposure, risk tolerance, and applicable controls. “Systems which are available to access from the open Internet should be expected to BE accessed eventually,” he warned.

Not Just Watching—Attacking

IP cameras, in particular, have become low-hanging fruit for hackers. Their lack of firmware updates, unchanged default credentials, and exposed networks make them perfect targets for botnets and lateral movement inside corporate environments.

“The numbers in this Bitsight report are likely very underestimated; if there are a billion IP cameras operating worldwide, just 1% being exploitable would be 10 million cameras,” said John Gallagher, Vice President at Viakoo.

These devices have already been used in real-world attacks—from the infamous Mirai botnet that launched massive DDoS attacks, to more recent intrusions where hackers exploited webcam access to deploy ransomware or conduct pre-attack reconnaissance.

“Often IP cameras are used within a cyber kill chain to perform reconnaissance, or to host malware that can use lateral movement and its placement on the network to access more sensitive corporate data,” Gallagher explained. “Whether it’s ‘Big Brother’ or cyber-criminal gangs, yes, they are watching us.”

Securing the Insecure

Securing these devices requires more than awareness. Experts urge users to treat every internet-connected camera like any enterprise asset: rotate passwords, patch firmware, restrict external access, and segment networks.

For organizations, adopting agentless security solutions purpose-built for cyber-physical systems (CPS) is now essential. Traditional agent-based solutions can’t even run on most IoT devices, let alone secure them.

As our world rushes to automate and digitize, many users are unwittingly handing over the keys to their homes and businesses. Security cameras, designed to guard us, are being flipped into tools of exploitation.

The next time you glance at your webcam light, ask yourself: Who’s watching whom?