this post was submitted on 10 Jun 2025
147 points (96.8% liked)

Technology

71232 readers
4264 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
147
40K IoT cameras worldwide stream secrets to anyone with a browser. (www.bitsight.com)
submitted 1 day ago* (last edited 1 day ago) by Pro@programming.dev to c/technology@lemmy.world
17 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] hansolo@lemmy.today 38 points 1 day ago (1 children)

Shodan.io is the searchable index of open IoT devices.

Change the default password, people!

[–] dan@upvote.au 17 points 1 day ago* (last edited 1 day ago) (2 children)

Hard-coded default passwords have been illegal in California since 2020, so it shouldn't be as much of an issue with newer devices. Companies aren't going to make California-specific versions of their devices, so they'll often just follow the California standards everywhere.

To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.

I still wouldn't ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.

[–] hansolo@lemmy.today 20 points 1 day ago (2 children)

Yes, but no one checks the legality of cheap Chinese devices from Amazon.

[–] Manifish_Destiny@lemmy.world 5 points 1 day ago (1 children)

Also cheap cameras also tend to ship with a number of x-day vulnerabilities.

[–] dan@upvote.au 2 points 1 day ago

It's usually fine if you stick to a good well-known brand, but there's some cheaper cameras that are bootleg clones of other brands, that can't run the latest upstream firmware so they're stuck on a hacked/modified version of older firmware.

[–] dan@upvote.au 3 points 1 day ago* (last edited 1 day ago)

The good Chinese brands, if they do have a hard-coded password, usually make you change it on first login. I'm pretty sure newer Hikvision and Dahua models do this (plus their resellers/rebrands like Amcrest, Lorex, Annke, etc). You need to pay more than the garbage brands, but they're worth it.

Of course, there's all sorts of junk on Amazon that don't follow any sort of standards.

[–] Creat@discuss.tchncs.de 1 points 1 day ago* (last edited 1 day ago)

Can't remember when it came into effect, but randomized device specific passwords are also mandatory in the EU now. This was relatively recently though. It means every single device (item, not model type or class) has to have an individual password (also usually it's on a sticker or something).

And yes, connecting any ip camera to the Internet is just dumb.