Bitsight TRACE has found over 40,000 exposed cameras streaming live on the internet. Learn where these cameras are, the risk, and how to protect yourself.
Hard-coded default passwords have been illegal in California since 2020, so it shouldn’t be as much of an issue with newer devices. Companies aren’t going to make California-specific versions of their devices, so they’ll often just follow the California standards everywhere.
To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.
I still wouldn’t ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.
The good Chinese brands, if they do have a hard-coded password, usually make you change it on first login. I’m pretty sure newer Hikvision and Dahua models do this (plus their resellers/rebrands like Amcrest, Lorex, Annke, etc). You need to pay more than the garbage brands, but they’re worth it.
Of course, there’s all sorts of junk on Amazon that don’t follow any sort of standards.
It’s usually fine if you stick to a good well-known brand, but there’s some cheaper cameras that are bootleg clones of other brands, that can’t run the latest upstream firmware so they’re stuck on a hacked/modified version of older firmware.
Shodan.io is the searchable index of open IoT devices.
Change the default password, people!
Hard-coded default passwords have been illegal in California since 2020, so it shouldn’t be as much of an issue with newer devices. Companies aren’t going to make California-specific versions of their devices, so they’ll often just follow the California standards everywhere.
To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.
I still wouldn’t ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.
Yes, but no one checks the legality of cheap Chinese devices from Amazon.
The good Chinese brands, if they do have a hard-coded password, usually make you change it on first login. I’m pretty sure newer Hikvision and Dahua models do this (plus their resellers/rebrands like Amcrest, Lorex, Annke, etc). You need to pay more than the garbage brands, but they’re worth it.
Of course, there’s all sorts of junk on Amazon that don’t follow any sort of standards.
Also cheap cameras also tend to ship with a number of x-day vulnerabilities.
It’s usually fine if you stick to a good well-known brand, but there’s some cheaper cameras that are bootleg clones of other brands, that can’t run the latest upstream firmware so they’re stuck on a hacked/modified version of older firmware.