Last updated: April 2026
Key Takeaways
- Thousands of home security cameras are streaming live on the open internet right now because their owners never changed the default password or left the video feed accessible without authentication. Ethical hacker Ryan Montgomery recently demonstrated how easy it is to find and control these cameras through public forums — no hacking required.
- The problem is usually your network configuration, not just the camera itself. Features like UPnP (Universal Plug and Play) and default port forwarding rules can silently expose your camera's video feed to the entire internet without your knowledge.
- Checking takes five minutes. Fixing it takes ten. This guide walks you through how to determine if your camera is exposed, how to lock it down at the router level, and why local-storage cameras with no cloud dependency are the safest long-term solution.
People Are Watching Your Cameras Right Now
What Ryan Montgomery Found
Ryan Montgomery is a professional cybersecurity specialist, ethical hacker, and CTO of the Sentinel Foundation, an organization focused on combating child exploitation online. In a recent video that went viral across social media, Montgomery demonstrated something unsettling: active communities on Reddit and Discord — some with over 2,000 members — are sharing live feeds from unsecured private cameras.
Montgomery showed that a simple search for "controllable webcams" on Reddit surfaced recent posts linking to cameras with full pan, tilt, and zoom control, no password required. One example was a water park in the Czech Republic where anyone could remotely move the camera and watch visitors in real time. His advice was straightforward: Google the model of the cameras in your home and make sure they are not exposed to the internet publicly.
This is not a new vulnerability. It is a persistent one. The cameras Montgomery found were not "hacked" in any sophisticated sense — they were simply left with default settings that made them publicly accessible. The problem is that most people never check.
How This Happens: Shodan, RTSP, and Default Passwords
To understand why so many cameras are exposed, you need to understand three things:
Shodan is a search engine that indexes every device connected to the internet — routers, servers, printers, and cameras. Unlike Google, which indexes websites, Shodan indexes the devices themselves. According to research from Cybernews, at least 8,373 cameras with exposed RTSP streams were discoverable on Shodan at the time of their analysis. That number fluctuates but remains consistently in the thousands.
RTSP (Real-Time Streaming Protocol) is how most IP cameras transmit video over a network. It runs on port 554 by default. RTSP does not encrypt the video stream and does not include any lockout mechanism for failed login attempts. If your camera's RTSP port is accessible from the internet and protected only by a default password (or no password at all), anyone who finds it can watch your feed.
Default passwords are the root cause. Many IP cameras ship with well-known credentials like admin/admin, admin/password, or admin/12345. If these are never changed during setup, the camera is effectively public. Some cheaper cameras have no password requirement at all when accessed via RTSP.
How to Check If Your Camera Is Exposed
Step 1: Identify Your Camera Model
Check the physical label on your camera or look in the manufacturer's app under device settings for the exact model number. Then do what Montgomery recommended: search for [your camera model] default password and [your camera model] security vulnerability in a search engine. If the default credentials come up easily (they will for most brands), and you never changed yours, change them immediately.
Step 2: Check Your Router for Open Ports
The camera itself is only half the equation. Your router decides what is visible to the outside internet. Log into your router's admin panel (typically at 192.168.1.1 or 192.168.0.1) and check two things:
- Port forwarding rules. Look for any rules you did not create — especially rules forwarding external traffic to port 554 (RTSP), port 80 (HTTP), or port 8080 (alternate HTTP). If your camera's local IP address appears as a forwarding destination for any of these ports, external users may be able to access your camera directly. Remove any port forwarding rules you did not intentionally create.
- UPnP (Universal Plug and Play). This feature allows devices on your network to automatically open ports on your router without asking permission. Many cameras use UPnP to make themselves remotely accessible during setup — and then leave the port open permanently. Disable UPnP on your router. This is one of the single most impactful security changes you can make. If you need remote access to your cameras, set it up manually through a VPN rather than letting devices punch holes in your firewall automatically.
Step 3: Check Cloud and P2P Relay Settings
Some cameras use a P2P (peer-to-peer) relay through the manufacturer's cloud servers to provide remote access. This bypasses your firewall entirely — the camera connects outbound to the vendor's server, and the vendor relays your video feed to their app. This means even if your router is locked down, the vendor still has access to your feed.
If your camera offers a P2P or "cloud relay" feature and you do not need remote access, disable it. If you do need remote access, a VPN connection to your home network (Proton VPN or Mullvad) is a more secure approach — it lets you access your cameras remotely without exposing any ports or depending on a third-party relay server.
The Two Threats Most People Miss
Threat 1: Direct Exposure (What Montgomery Demonstrated)
This is the immediate, visible threat: a camera with default credentials and an open port, accessible to anyone with a search engine. It primarily affects standalone IP cameras — especially lower-cost models from generic brands — that are connected directly to the internet without proper authentication. These are the cameras that end up on Shodan, on Reddit threads, and on aggregator sites that catalog exposed feeds by country.
The fix is technical but straightforward: change the default password, disable UPnP, remove unnecessary port forwarding, and update firmware. If your camera does not support setting a strong password or does not receive firmware updates, it should be replaced.
Threat 2: Cloud Dependency (The Bigger Problem)
The second threat is structural rather than accidental. Cloud-based cameras from Ring, Google Nest, Arlo, Wyze, and Blink upload your footage to company-controlled servers by design. This means your video feed is accessible to the vendor, to anyone who compromises the vendor, and — in some documented cases — to law enforcement without a warrant.
We covered this in depth in our article on Ring camera privacy issues and alternatives. The short version: Ring has a documented history of sharing footage with law enforcement through its Neighbors program, Wyze concealed a known security breach for years, and Eufy was caught uploading thumbnails to cloud servers despite marketing itself as "no cloud." Even when your camera is not "hacked," the cloud model means someone other than you has access to your footage.
This is structurally identical to the ISP gateway problem we cover extensively on ModemGuides: when you use equipment controlled by someone else, you are trusting that company with your data whether you realize it or not. The fix is the same — own the infrastructure yourself.
Lock It Down: The Network Hardening Checklist
Most security camera guides focus on the camera. This checklist focuses on the network — because your router is the gatekeeper that decides whether your camera is visible to the outside world.
| Action | Why It Matters | Difficulty |
|---|---|---|
| Change camera default password | Default credentials are publicly documented for virtually every camera brand. Leaving them unchanged is the single most common reason cameras appear on Shodan. | Easy |
| Disable UPnP on your router | UPnP lets devices silently open ports on your router. Your camera may have already exposed itself without your knowledge. Disabling it prevents any device from auto-opening firewall holes. | Easy |
| Audit port forwarding rules | Check your router's port forwarding table for rules you did not create. Remove any rule forwarding traffic to port 554 (RTSP), 80, or 8080 unless you specifically set it up and understand why it is there. | Easy |
| Update camera firmware | Manufacturers patch known vulnerabilities through firmware updates. Cameras that no longer receive updates should be considered compromised and replaced. | Easy |
| Disable P2P / cloud relay if not needed | P2P relay bypasses your firewall by connecting outbound through the vendor's servers. If you do not use remote viewing, turn it off. If you need remote access, use a VPN instead. | Moderate |
| Enable 2FA on camera accounts | If your camera uses a cloud account for management, enable two-factor authentication. This prevents account takeover even if your password is leaked in a data breach. | Easy |
| Put cameras on a separate VLAN | Network segmentation isolates your cameras from your computers, phones, and other sensitive devices. Even if a camera is compromised, the attacker cannot pivot to the rest of your network. Requires a router that supports VLANs (most routers running OpenWrt, pfSense, or OPNsense support this). | Advanced |
| Switch to local-storage cameras | Cameras that record to local microSD or a local NVR eliminate cloud dependency entirely. No subscription, no warrantless access, no third-party servers. See our full guide to local storage security cameras. | Moderate |
If You Are Shopping for a Replacement
If the audit above revealed that your current camera is insecure, no longer receives firmware updates, or depends entirely on a cloud service you do not trust, it is worth replacing it with a camera that stores footage locally and supports open protocols.
We maintain a dedicated guide to the best local storage security cameras of 2026, which covers our top picks across price ranges — from budget indoor cameras starting around $40 to weatherproof outdoor models with 4K resolution and AI object detection. Every camera on that list records to local storage (microSD or NVR), charges no monthly subscription fees, and has been evaluated for its support of open protocols like RTSP and ONVIF.
For a deeper look at the specific privacy risks of cloud-based cameras and why we recommend against Ring for security-conscious users, see our article on Ring camera privacy issues and alternatives.
The principle is consistent across everything we cover at ModemGuides: the equipment that protects your home should be under your control. That applies to your modem, your router, and your security cameras. If someone else controls the infrastructure, someone else controls the experience.
Frequently Asked Questions
How do I know if someone is watching my security camera?
In most cases, you will not receive any notification. Unauthorized viewers access the camera's video stream directly through its IP address and RTSP port — the camera does not distinguish between authorized and unauthorized connections if no authentication is required. The best way to check is to audit your router's port forwarding rules and ensure your camera requires a strong, non-default password for all access methods.
What is Shodan and can it see my camera?
Shodan is a search engine that scans and indexes internet-connected devices, including routers, servers, printers, and cameras. It does not "hack" anything — it simply catalogs what is publicly visible. If your camera has an open RTSP port (554) with no authentication, Shodan can find it and may capture a screenshot of the feed. You can search your own external IP address on Shodan to see what it finds, though a paid account is required for detailed results.
Is Ring, Nest, or Wyze safe to use?
These cameras are not typically vulnerable to the direct-exposure threat Montgomery described — they use encrypted cloud connections rather than open RTSP. However, they introduce a different risk: your footage is stored on and accessible through corporate servers. Ring has shared footage with law enforcement without owner consent, Wyze concealed a data breach, and Eufy was caught uploading data despite "no cloud" marketing. For a full analysis, see our Ring privacy article.
What is RTSP and why does it matter?
RTSP (Real-Time Streaming Protocol) is the standard protocol used by most IP cameras to transmit video over a network. It operates on port 554 by default. RTSP does not encrypt the video stream and has no built-in protection against brute-force login attempts. If a camera's RTSP stream is accessible from the internet — either through port forwarding or UPnP — and is protected only by weak or default credentials, anyone who discovers it can view the feed.
What is UPnP and why should I disable it?
UPnP (Universal Plug and Play) is a protocol that allows devices on your network to automatically open ports on your router. It was designed for convenience — making it easy for devices to become remotely accessible without manual configuration. The problem is that it does this silently, without requiring your approval. A camera (or any other device) can use UPnP to expose itself to the internet the moment it connects to your network. Disabling UPnP on your router prevents this and forces you to manually approve any port forwarding rules.
Do I need a subscription for local security camera storage?
No. Cameras that record to a local microSD card or a network video recorder (NVR) on your home network do not require any subscription. All footage stays on hardware you physically own. For software-based NVR, Frigate is a free, open-source option that runs on modest hardware (including a Raspberry Pi 5) and integrates with Home Assistant for smart home automations. See our local storage camera guide for specific product recommendations.
Can I check my camera's security without technical skills?
Yes. The three most impactful checks require no specialized knowledge: (1) search your camera's model name plus "default password" in a search engine and verify you are not using the default; (2) log into your router and look for unfamiliar port forwarding rules; (3) check your router's settings for UPnP and disable it if enabled. These three steps address the vast majority of direct-exposure risk.
