A sweeping internet-wide scan has revealed that more than 21,000 home cameras and recording devices are streaming live footage to the open internet with absolutely no authentication — no password, no login prompt, nothing standing between a stranger and a direct view into private spaces.
The research, conducted by Mysterium VPN and reported by Security Affairs on 12 June 2026, queried a public internet-wide device index in May 2026 and identified a staggering total of over three million internet-reachable cameras and network video recorders. Of that broader pool, 21,786 devices offered live streams requiring zero credentials whatsoever, meaning anyone with the right URL could watch real-time video from living rooms, nurseries, driveways, and offices around the world.
Cheap Hardware, Serious Consequences
The findings point to a familiar culprit in consumer IoT security failures: inexpensive hardware paired with negligent default configurations. Many of the vulnerable devices ship from budget manufacturers that prioritise low cost over security, leaving features like public stream access enabled by default with no meaningful setup process requiring users to establish credentials.
Software played a significant role as well. The Mysterium research found that devices running webcamXP, a widely used camera streaming application, were exposed without authentication roughly 46 percent of the time. This figure underscores how even established software can become a liability when it fails to enforce basic security defaults.
Your Router Is the Broadcast Tower
A critical dimension of the problem lies not with the cameras themselves but with the networks they sit behind. Many consumer routers are configured to forward ports or use UPnP (Universal Plug and Play) to automatically expose connected devices to the public internet. In effect, the home router transforms what a user might assume is a local, private camera feed into a publicly accessible broadcast.
Most users are unaware this is happening. The research highlights that the vast majority of these vulnerable devices provide no on-device indicator, app notification, or dashboard warning to alert their owners that the feed is being served to the open internet. This "no warning" gap represents a systemic failure in the consumer IoT market — manufacturers have little incentive to build alerts that might undermine the illusion of simplicity they sell to buyers.
Three Million Devices, But Clarity on Scale Matters
It is important to distinguish between the two numbers at play. The 21,786 figure represents cameras with genuinely zero authentication — the most severe category, where a stream is simply open for anyone to view. The broader figure of more than three million reachable devices includes cameras and recorders that sit exposed on the public internet but may have some form of login protection in place. While those devices are still attackable through brute force, default credential guessing, or software vulnerabilities, they are not in the same immediate risk category as the completely open streams.
Even so, three million internet-facing camera endpoints is a significant attack surface. Default credentials on consumer IoT devices remain trivially guessable, and known vulnerabilities in outdated firmware are routinely exploited at scale.
What Can Be Done
For users, the practical steps are straightforward but require deliberate action. Changing default passwords on cameras and routers is the minimum. Disabling UPnP on home routers can prevent devices from silently exposing themselves. Users should also check whether their camera software — particularly webcamXP — allows unauthenticated access and disable that feature explicitly.
For the IT and security community, the findings reinforce that the consumer IoT security problem is not getting better. Budget devices continue to ship with poor defaults, and the absence of user-facing warnings means millions of compromised feeds will remain invisible to their owners until the issue is surfaced by third-party research — or exploited by threat actors.
The Mysterium VPN report serves as a reminder that the gap between what a user believes is happening on their home network and what is actually exposed to the world remains dangerously wide.
一項覆蓋面極廣的互聯網掃描揭露,超過21,000個家居鏡頭及錄影裝置正以完全無驗證的方式——沒有密碼、沒有登入提示——將實時影片串流至公開網絡,陌生人與私人空間的直接影像之間毫無屏障。
這項由 Mysterium VPN 進行、並於2026年6月12日經 Security Affairs 報道的研究,在2026年5月查詢了一個公開的互聯網設備索引,並驚人地識別出超過三百萬個可經互聯網訪問的鏡頭及網絡視頻錄影機。在這個更廣泛的範圍內,有21,786個裝置提供的實時串流完全無需任何憑證,這意味著任何人只要擁有正確的網址,就能觀看到全球各地客廳、嬰兒房、車道及辦公室的實時影像。
廉價硬件,嚴重後果
研究結果指向了消費級物聯網安全失敗中一個熟悉的元兇:廉價硬件與疏忽的預設配置相結合。許多存在漏洞的裝置來自預算有限的製造商,這些廠商將低成本置於安全之上,預設啟用了公共串流存取等功能,且沒有有意義的設定流程要求用戶建立憑證。
軟件也扮演了重要角色。Mysterium 的研究發現,運行 webcamXP(一種廣泛使用的鏡頭串流應用程式)的裝置,大約有46%的時間在未經驗證的情況下暴露。這一數字凸顯了即使是成熟的軟件,若未能強制執行基本的安全預設,也可能成為安全隱患。
你的路由器成了廣播塔
問題的一個關鍵層面並非在於鏡頭本身,而在於它們所處的網絡背後。許多家用路由器被設定為轉發端口或使用 UPnP(通用隨插即用),自動將連接的裝置暴露於公開互聯網。實際上,家用路由器將用戶可能認為是本地私密的鏡頭畫面,轉變成了可公開存取的廣播信號。
大多數用戶並未察覺這種情況正在發生。研究強調,這些存在漏洞的裝置絕大多數沒有提供任何裝置上的指示燈、應用程式通知或控制面板警告,以提醒其擁有者畫面正被提供至公開互聯網。這種「無警告」的缺口代表了消費級物聯網市場的一個系統性失敗——製造商幾乎沒有動力建立可能破壞其向買家兜售的「簡易性」幻象的警報機制。
三百萬裝置,但釐清規模很重要
區分兩個相關數字至關重要。21,786這個數字代表真正零驗證的鏡頭——這是最嚴重的類別,其串流對任何人開放觀看。而超過三百萬個可訪問裝置這個更廣泛的數字,則包括了那些暴露在公共互聯網上、但可能設有某種形式登入保護的鏡頭和錄影機。雖然這些裝置仍可能透過暴力破解、預設憑證猜測或軟件漏洞而遭受攻擊,但它們與完全開放的串流並非處於同一即時風險類別。
即便如此,三百萬個面向互聯網的鏡頭端點仍然構成了一個巨大的攻擊面。消費級物聯網裝置的預設憑證仍然極易猜測,而過時韌體中的已知漏洞也經常被大規模利用。
可以採取的措施
對於用戶而言,實際步驟很明確,但需要刻意的行動。更改鏡頭和路由器的預設密碼是最基本的。在家用路由器上停用 UPnP 可防止裝置在不經意間暴露自己。用戶還應檢查其鏡頭軟件——特別是 webcamXP——是否允許未經驗證的存取,並明確停用該功能。
對於資訊科技及安全社群而言,這些研究結果再次證明,消費級物聯網安全問題並未改善。預算型裝置繼續搭載糟糕的預設配置,而缺乏面向用戶的警告,意味著數百萬個已遭入侵的畫面將對其擁有者保持不可見,直到問題被第三方研究揭示——或被威脅行為者利用。
Mysterium VPN 的報告提醒我們,用戶對其家庭網絡中正在發生之事的認知與實際暴露於世界的情況之間,差距仍然危險地巨大。