Full Report
A BitSight report reveals over 40,000 internet-connected security cameras globally are exposed, streaming live footage without protection. Learn how common devices, from home cameras to factory surveillance, pose privacy and security risks and get simple tips to secure your own.
Analysis Summary
# Best Practices: Securing Internet-Connected Cameras and IoT Devices
## Overview
These practices address the significant security risk posed by internet-connected security cameras (IoT devices) that are left exposed online, leading to unauthorized access to live footage in homes and offices. The recommendations focus on reducing the attack surface, enforcing strong authentication, and ensuring proper network segmentation.
## Key Recommendations
### Immediate Actions
1. **Change Default Credentials Immediately:** Update the default username and password on **all** internet-connected cameras and IoT devices to a complex, unique password (at least 14 characters, mixing cases, numbers, and symbols).
2. **Disable Remote Access (If Not Needed):** If the camera does not require remote viewing capabilities, disable all configurations that allow external network access (Port Forwarding or UPnP).
3. **Verify Device Status:** Conduct an immediate inventory of all connected cameras and recording systems and verify their current online exposure status to confirm local-only access settings are active.
### Short-term Improvements (1-3 months)
1. **Ensure Firmware Updates:** Check the manufacturer's website for the latest firmware for every camera model. Apply all available security updates to patch known vulnerabilities.
2. **Implement Multi-Factor Authentication (MFA):** Where the camera ecosystem (app or cloud service) supports it, enable MFA for account logins to prevent unauthorized access even if credentials are leaked.
3. **Segment IoT Devices:** Move all security cameras and smart devices onto a separate, isolated network (VLAN or Guest Network) to prevent a compromised camera from accessing primary devices (laptops, servers, personal data).
### Long-term Strategy (3+ months)
1. **Review and Restrict Port Forwarding:** Audit the router's configuration to remove any unnecessary port forwarding rules that expose services directly to the internet, especially those related to camera management protocols (like RTSP or web interfaces).
2. **Implement Network Monitoring:** Deploy basic network monitoring tools to alert administrators if an IoT device begins communicating with unusual external IP addresses or transmits excessive amounts of data outbound.
3. **Standardize Procurement:** Establish a policy requiring all new IoT/camera purchases to support current encryption standards (WPA3, strong TLS) and have a documented manufacturer policy for long-term security patching.
## Implementation Guidance
### For Small Organizations
* **Focus on Router Security:** Ensure the primary Wi-Fi router uses strong WPA3 encryption (if supported) and has the local administrative interface protected by a unique password.
* **Guest Network Use:** If a dedicated VLAN is too complex, place all cameras on the existing "Guest" Wi-Fi network, ensuring the isolation setting ("AP Isolation" or "Client Isolation") is enabled to prevent the cameras from communicating with internal LAN resources.
### For Medium Organizations
* **VLAN Implementation:** Create a dedicated Virtual Local Area Network (VLAN) specifically for surveillance equipment. Apply firewall rules to this VLAN:
* Allow outbound internet access (for firmware checking/cloud services only).
* Deny all inbound connections from the internet.
* Deny all communication *from* the IoT VLAN *to* the primary corporate data VLAN.
* **Credential Management:** Utilize a centralized, secure password manager for storing unique, complex administrative passwords for each device.
### For Large Enterprises
* **Dedicated Security Appliance Inspection:** Route all IoT/camera traffic through a next-generation firewall (NGFW) or dedicated security appliance for deep packet inspection and behavioral analysis before it reaches the external network.
* **Asset Inventory and Lifecycle Management:** Integrate camera assets into the formal Configuration Management Database (CMDB) and establish procedures for automated vulnerability scanning and mandatory retirement before manufacturer end-of-life dates.
* **Zero Trust Principles:** Apply Micro-segmentation within the IoT VLAN, ensuring that Camera A cannot communicate with Camera B unless explicitly required for system operation (e.g., for NVR communication).
## Configuration Examples
| Configuration Area | Best Practice Setting | Rationale |
| :--- | :--- | :--- |
| **Router Access** | Disable Universal Plug and Play (UPnP) entirely. | Prevents devices (including potentially compromised cameras) from automatically opening inbound firewall ports. |
| **Remote Access** | Use a site-to-site VPN or a manufacturer-sanctioned, authenticated cloud tunnel instead of direct port forwarding. | Encrypts and authenticates remote access, rather than exposing raw camera streams/interfaces to the public internet. |
| **Device Login** | Prefer local device authentication over cloud dependency, ensuring cloud access is MFA-protected. | Reduces risk from cloud service breaches; local control maintains function during cloud outages. |
## Compliance Alignment
* **NIST Cybersecurity Framework (CSF):**
* **Identify:** Asset management and risk assessment of vulnerable devices (Identify.AM, Identify.RA).
* **Protect:** Implementing strong passwords and network segmentation to limit access (Protect.AA, Protect.PT).
* **ISO/IEC 27001:**
* **A.9.2.5:** Management of privileged access rights (ensuring complex, unique credentials).
* **A.12.1.2:** Separation of development, testing, and production environments (applies to network zoning).
* **CIS Controls:**
* **Control 4 (Access Control Management):** Ensuring only authorized individuals or systems can interface with surveillance streams.
* **Control 5 (Account Management):** Enforcing MFA and strong password policies for device management interfaces.
## Common Pitfalls to Avoid
* **Reusing Credentials:** Using the same password for the camera administrator, the router login, and any associated cloud account.
* **Relying Solely on Cloud Access:** Assuming that because you log in via a smartphone app, the underlying camera device is secure and not directly exposed to the internet.
* **Ignoring Obsolete Hardware:** Continuing to use old security cameras whose manufacturers have ceased issuing security patches. These devices become permanent, unpatchable vulnerabilities.
* **Trusting Default Guest Networks:** Often, Guest networks still allow communication between connected clients; ensure your specific router settings truly isolate the cameras from other users/devices on that network segment.
## Resources
* **Manufacturer Update Pages:** Regularly check the official support portal for your specific camera brand (e.g., Axis, Hikvision, Wyze) for firmware management tools and advisories.
* **CISA Alerts:** Monitor the Cybersecurity and Infrastructure Security Agency website for specific IoT vulnerability disclosures that may affect installed devices.
* **Network Scanning Tools (Internal Use Only):** Tools like Nmap (for experienced administrators) can be used internally to scan the IP range assigned to IoT devices to confirm which ports remain suspiciously open.